RANSOMRESTORE
Back

An Accounting Practice Had 200+ Client Files Encrypted During Tax Season

Accountants don't get the luxury of 'we'll deal with this next week.' Tax season has hard deadlines. Miss them and your clients face penalties — penalties your firm is contractually responsible for. 217 files, 3 clients with April 2nd deadlines, 94% recovered in 48 hours.

5 min read

What They Called About

"We need everything back. Not eventually. By Monday afternoon. We can't call 200 clients and tell them their tax submissions are late because we got hacked."

This is a different kind of pressure than most ransomware cases. Most businesses lose time. This firm was risking other people's money.

The Attack

Phobos ransomware, deployed through a compromised remote desktop session.

The entry point: a senior accountant had been working from home. Her home computer was compromised by a different piece of malware — a credential stealer — three weeks earlier. The stolen credentials were used to access the office server via RDP.

The office server had been accessed remotely like this for two years. It worked fine. Nobody changed the password after the home computer incident.

Phobos is easily identifiable by its ransom note — an info.hta file that pops up a window with a countdown timer. The encrypted file names also include the attacker's email address and a unique ID (e.g., report.xlsx.id[1A2B3C4D]-[hacker@email.com].phobos).

The Recovery

Friday 4 PM - 8 PM: Initial assessment. Identified Phobos — AES+RSA hybrid encryption with no known weaknesses in the algorithm itself. Free decryptors from NoMoreRansom didn't cover this build. Direct decryption without the key is not viable. We mapped the encryption footprint and identified a potential recovery path: Phobos encrypts files in sequential order. Files at the end of the queue may have recoverable fragments in slack space and unallocated clusters.

Friday 8 PM - Saturday 8 PM: Forensic recovery initiated. We deployed data carving tools to extract file fragments from slack space and unallocated disk areas, bypassing the encrypted file system entirely. 217 client directories mapped by priority — the three April 2nd deadlines first.

Saturday afternoon: First results — 87% of the critical client files recovered through forensic extraction. The remaining 13% were in various states of partial encryption — some file headers had been overwritten before the slack space copy was complete.

Sunday: Second wave recovery using deep file carving on memory-mapped disk images. Remaining files at 94% overall. The 6% unrecoverable files were primarily older archive directories that had been fully encrypted before slack space copies could be captured. Files that couldn't be fully recovered were cross-referenced with tax authority records — e-filing creates a submission record that can serve as evidence of the original filing even if the firm's copy is damaged.

Monday 2 PM: All three April 2nd submissions confirmed as filed. The firm's e-filing access was restored with new credentials.

Monday 6 PM: 94% of all client files recovered. 6% remained partially damaged — primarily older archive files. Client communication plan executed.

The Numbers

Item Amount
Forensic recovery USD 8,500
Emergency IT support USD 1,400
Staff overtime USD 1,000
Total ~USD 10,900

They were quoted USD 60,000 by another incident response firm before calling us. We don't know what that quote included — but the timeline they described suggested 5-7 business days minimum.

What They Fixed

The RDP problem: The compromised remote access was the entry point. They implemented:

  • MFA on all remote access
  • A dedicated VPN instead of direct RDP
  • Monitoring on failed login attempts

The credential problem: The home computer that was compromised had no antivirus. It was a personal laptop used for both family and work. They now have a policy separating personal and work device use, and they equipped the work laptop with endpoint protection.

The backup problem: Their backup had been "working" — but it was a local backup connected to the same network as the server. When the ransomware encrypted the server, it encrypted the backup too. They now use an off-site backup with 30-day retention that cannot be overwritten from inside the network.

The Honest Part

We told them after the incident: you were lucky in one specific way.

The encryption completed before discovery. In most Phobos cases, if you catch it within the first 30-60 minutes — while it's still actively encrypting — and you disconnect the machine, you recover significantly more files.

Their accountant didn't notice for several hours. If she'd been at her desk when it happened, she might have caught it.

They now have monitoring on their server that alerts them within 5 minutes of any unusual file activity. It costs about USD 90 per month. They consider it the best money they spend.

For more on how Phobos operates and recovery options, see our Phobos ransomware recovery guide.

If you're in accounting and you're worried about this:

We work with professional services firms across the region. We understand the regulatory environment, the timeline pressure, and the client trust stakes. Free assessment, no commitment.

In most emergency cases, we respond within 3 hours.

RANSOMRESTORE

Remote ransomware recovery, digital forensics, and incident response.

Services

  • Emergency Breach Response
  • Ransomware Response & Recovery
  • Penetration Testing

Emergency Contact

Terms of Service|Privacy Policy
© 2026 Lyncore Intelligent Technology Limited (Operating as Ransomrestore). All rights reserved.