There are a number of defensive steps you can take to prevent ransomware infection spreading throughout your organisation.
Three years ago, the NHS was brought to a standstill for several days due to the WannaCry outbreak, affecting hospitals and GP surgeries across England and Scotland.
It remains one of the most well-known examples of a ransomware attack, having afflicted over 200,000 computers across numerous organisations around the world.
WannaCry was delivered via emails which tricked the recipient into opening attachments and releasing malware onto their system in a technique known as phishing.
Once a computer has been affected, the malware locks up its files and encrypts them in a way that you cannot access them anymore. It then demands payment in bitcoin in order to regain access.
A report published by the UK Government estimates the WannaCry virus cost the NHS approximately £19m in lost output and £73m in IT costs.
Unfortunately, recent ransomware statistics show that such attacks have risen sharply in 2020.
This guidance helps private and public sector organisations deal with the effects of malware (which includes ransomware). It provides actions to help organisations prevent a malware infection, and also steps to take if you're already infected.
Following this guidance will reduce:
the likelihood of becoming infected
the spread of malware throughout your organisation
the impact of the infection
If you've already been infected with malware, please refer to the National Cyber Security Centre's list of urgent steps to take.
What is malware?
Malware (malicious software) is an umbrella term that describes any malicious program or code that is harmful to systems. It seeks to invade, damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by taking partial control over a device’s operations. Like the human flu, it interferes with normal functioning.
It can steal, encrypt, or delete your data, alter or hijack core computer functions, and spy on your computer activity without your knowledge or permission.
What is ransomware?
Ransomware is a form of malware that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment. Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred pounds to thousands, payable to cyber criminals in Bitcoin.
Some ransomware will also try to spread to other machines on the network, such as the Wannacry malware that impacted the NHS in May 2017.
Should I pay the ransom?
Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. If you do pay the ransom:
there is no guarantee that you will get access to your data or computer
your computer will still be infected
you will be paying criminal groups
you're more likely to be targeted in the future
Attackers will also threaten to publish data if payment is not made. To counter this, organisations should take measures to minimise the impact of data exfiltration. The NCSC's guidance on Protecting bulk personal data and the Logging and protective monitoring guidance can help with this.
Using a defence in depth strategy
Since there's no way to completely protect your organisation against malware infection, you should adopt a 'defence-in-depth' approach. This means using layers of defence with several mitigations at each layer. You'll have more opportunities to detect malware, and then stop it before it causes real harm to your organisation. You should assume that some malware will infiltrate your organisation, so you can take steps to limit the impact this would cause, and speed up your response.
These steps include:
Action 1: Make regular backups
Action 2: Prevent malware from being delivered and spreading to devices
Action 3: Prevent malware from running on devices
Action 4: Prepare for an incident
Detailed advice on how to implement these steps can be found on the NCSC website.