Ransomware made headlines throughout COVID-19 and continues to do so in the post pandemic era, with variants of ransomware growing - both in number and sophistication. Implications emanating from the risks of a security breach are profound, raising concerns on the effectiveness of measures to mitigate the same in an ever-changing landscape of cyber threats and attacks. Not only organizations, but individuals too are at risk - as a consequence of the susceptibility of their valuable and sensitive data being held to ransom.

Through this thought leadership, we seek to raise the awareness of the typical process flow relating to ransomware attacks and best practices to mitigate the risks of your valuable data being subjected to cyber-attacks.

How does a ransomware attack work?

Ransomware attacks usually begin with a conventional phishing email that serves as a pathway for the infected file to reach the victim’s machine. In typical cases, a ransomware inflicted infection is caused by a downloadable file (such as PDF, DOC, XLS). Once the victim’s device is exposed to the malicious code residing in such infected files, the ransomware code takes control of the device or the system.

It is also possible for ransomware to remain dormant on a device until the same is vulnerable and the user falling prey to exploitation. Once the user acts on the malicious code, ransomware will run its course and attack files, folders, or the entire device depending on its configuration.

As a type of malware from crypto-virology, ransomware threatens to publish or permanently block a victim's personal data unless a ransom is paid. Unlike simple ransomware that locks the system without damaging files, more sophisticated malware uses a technique called crypto-viral extortion. A ransom payment is demanded to decrypt the victim's files, which have been encrypted to a point of becoming inaccessible. It is difficult to locate the perpetrators of an effective crypto-viral extortion attack without the decryption key. Typically, ransoms are paid with Pay SafeCard, Bitcoin and other cryptocurrencies, making it difficult to trace and prosecute the perpetrators.

The ensuing chart maps the typical process adopted by malicious attackers who use ransomware.

Set forth in the ensuing bullets is a summary of some best practices to mitigate the risks of ransomware.

• Protection of master keys | Most attackers need specific privileges to succeed and the same also applies to ransomware. Consequently, your monitoring controls relating to usage of all privileged credentials need to be effective. Adherence with the principle of least privilege is considered to be a good element of an identity and access management strategy. We also recommend that privileges should only be assigned on a need basis only after an ongoing and careful assessment of the utility from the assignment thereof. You should assign temporary privileges for specific events and/or for a limited duration of time (as required) and revoke the same in a timely manner.

• Authentication using a multi-factor framework | Usage of multiple methods of authentication to verify a user's identity serve to be incredibly helpful in creating a tight barrier. As a minimum force, all technical and business privileged users should use multi-factor authentication ('MFA'). The goal of MFA is to create a layered defense that makes it more difficult for an unauthorized person to access a target.

• Repeat back-ups | Regular offline backups within predetermined timeframes should be undertaken for components of your system, which are not connected to the internet (which may be stored on a lone USB or a hard disk). While several organizations update their offline copies every 3 to 4 months, the requirement of each organization would vary. The frequency of such back-ups should ideally be based on the nature of the data (e.g. weekly/daily backups for frequently changing data like financial records, employee records, personal health information, etc) and the criticality of the data being backed up. Investing in immutable backup technology, which secures data from being altered or tampered, is another measure that can be undertaken. Restoration of data from back up sources and testing the recovery procedures for their effectiveness (including completeness and accuracy of data being restored) are additional best practices.

• Internet browser updates | User browsers should be updated as soon as their security updates are available. You should avoid unnecessary browser extensions as these may impact the security of your system and can inflight damage. We also recommend implementing web browsing proxies, content filtering and email scanners to mitigate threats before they reach the user’s browser. Additionally, in order to provide additional layers of protection, we suggest deploying browser security solutions, which can detect internal and external web threats. Pop-ups, for instance, are commonly used by threat actors to infect computers with malicious code/s. These may direct, or otherwise, coerce users into accessing unsafe web pages or downloading malware; and consequently, the development, implementation and monitoring of a set of effective guidelines and instructions become imperative.

• Prepare your organization | You may consider running ransomware tabletop exercises regularly with the management and technical teams to build ‘muscle memory’ and to review the response plans. Undertaking a cyber risk assessment with training sessions & workshops for your teams will go a long way in raising awareness. Running cyber crisis awareness exercises for your senior leadership and board members may also prove to be useful to enhance awareness around real attacks and for gaining an understanding of individual responsibilities during a ransomware attack.

While the foregoing do not constitute a comprehensive set of best practices to mitigate ransomware attacks, we have highlighted the more significant ones in this thought leadership. Every organization should assess the nature and criticality of its data, its susceptibility to cyber security risks and determine its own set of mitigating measures.

Should you require any further information, please do not hesitate to write to us at contactus@mgcglobal.co.in. Our IT risk advisory experts are here to help you.

Best regards

Markets Team

MGC Global Risk Advisory

About Allinial Global

Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately USD 4.98 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It currently has member firms in 105 countries, and 261 member firms across the globe.

Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management.