Back to Blog
Case Studies

The 72-Hour Ransomware Recovery Most Tax Firms Don't Plan For

Hour by hour through a ransomware incident at a 350-client tax firm, what the response actually cost, and the three controls that would have prevented half of it.

May 19, 2026
·
min read

This is a composite case based on actual incidents at small tax and accounting firms. Names and numbers are anonymized but the timeline, costs, and decisions are taken from real engagements. If you have not run a tabletop exercise on what your firm does in the first 72 hours after ransomware, this is the version you want to read.

The setup

A 4-person tax firm with 350 active clients. Microsoft 365 email, Drake tax software, SmartVault client portal, on-premise file server. Cyber insurance with $1 million in coverage and a $10,000 deductible. WISP existed but was 18 months old. MFA was on email but not on the file server. Backups ran nightly to a connected external drive.

Hour 0: discovery

Tuesday, 7:42 AM. The firm owner arrives, opens her laptop, and finds every file on the network share renamed with a .locked extension. A README file on her desktop demands $80,000 in Bitcoin. The file server is encrypted. Two of three local workstations are also encrypted.

First decision in the next 5 minutes: do not pay, do not click anything, do not turn off computers (forensic evidence). Disconnect them from the network instead.

Hour 1 to 4: triage

The owner calls her IT person, then her cyber insurance broker. The broker activates the breach coach. By 11 AM, a forensic team is engaged. The broker notes that since this is a confirmed ransomware event with a ransom demand, the coverage clock has started. Every hour matters for documentation.

Concurrent decisions in this window:

  • Email is checked for compromise. Microsoft 365 audit log shows no abnormal logins. MFA on email saved the firm from a much larger breach.
  • The on-premise backup drive is checked. It was connected when the ransomware ran. The backups are also encrypted. This is the moment most firms realize their backup strategy was theoretical, not real.
  • Tax software cloud-stored returns are confirmed accessible. Drake stores returns in the cloud, so the in-progress returns survived.
  • Client portal is confirmed accessible. SmartVault is independent of the file server.

Hour 4 to 24: containment and decision

Forensics confirms the entry point: a phishing email opened by a staff member 11 days earlier. The attacker had been in the network for 11 days, mapping shares, before deploying ransomware on a Tuesday morning when the highest activity was guaranteed.

The decision tree on paying ransom plays out: forensics says decryption keys from this strain (LockBit variant) work about 70 percent of the time even when paid. Insurance will cover the ransom under the policy if it is the only path to recovery. Backups are gone. The owner approves the ransom payment.

Cost so far at hour 24: $12,000 forensic fee, $4,000 breach coach legal, $80,000 ransom (insurance covers most after deductible).

Hour 24 to 48: decryption and assessment

The decryption key is provided. Files start decrypting. The forensic team monitors for re-infection. The owner starts the legally-required notification process. 350 clients live in 4 states, each with its own notification timeline.

More cost adds up:

  • Notification mailing and credit monitoring offer: $11 per affected client = $3,850
  • Legal review for state-specific language: $9,000
  • Forensic continuation through the 48-hour window: $14,000

Hour 48 to 72: business impact

The firm communicates with clients. Tax season is winding down so the timing was lucky, but there are still 18 returns that miss their original delivery date. The firm files extensions for each one. Three clients leave within the next 30 days. Six more leave at the next renewal.

Total client churn from a single 72-hour event: nine clients, around $14,000 in lost annual revenue. That number understates the full impact because referrals from those clients also stop.

Final tally

  • Forensics: $26,000
  • Legal and breach coach: $13,000
  • Ransom: $80,000
  • Notification and monitoring: $3,850
  • Lost revenue first year: $14,000
  • Insurance reimbursement: covered most of the above above the $10,000 deductible

Out-of-pocket for the firm: roughly $24,000 plus 6 weeks of disruption during tax season cleanup.

The three controls that would have prevented half of this

  1. MFA on the file server, not just email. The attacker used a stolen credential pulled from email reconnaissance to log into the file server directly. MFA there blocks the attack at hour negative 11.
  2. Immutable backups, stored offline or in a separate cloud account. The encrypted backup drive turned a 2-day recovery into a ransom payment.
  3. Endpoint detection and response, not just antivirus. EDR would have flagged the lateral movement during the 11 days the attacker was inside.

The combined cost of those three controls for a 4-person firm is about $250 per month. The cost of not having them was $24,000 plus 6 weeks of business disruption plus 9 clients gone.

Book a 15-minute WISP and security review

Kenny Berrios
CEO and Co-owner, Watch Cloud Cyber Security

Kenny Berrios leads Watch Cloud Cyber Security, an MSSP built for tax and accounting firms. He helps owners translate FTC Safeguards, IRS Pub 4557, and state privacy laws into operational defenses that protect client data without disrupting tax season.

FREE GAP ANALYSIS

See exactly where your WISP falls short

Five minutes. We compare your documentation against FTC Safeguards and IRS Publication 4557, flag every gap, and hand you a prioritized fix list.

Start My Free Gap Analysis
MORE FROM THE BLOG

Keep reading

Case Studies

Client Data Breach Notification: 30 Days of What Actually Happens

July 28, 2026
Case Studies

An IRS WISP Audit, Step by Step, From the Provider's Side

July 14, 2026
Case Studies

What a Cyber Insurance Claim Looks Like at a 200-Client Firm

June 30, 2026