What are ransomware attacks and how can you stop them?

There are a number of defensive steps you can take to prevent ransomware infection spreading throughout your organisation.

Ransomware attacks have risen sharply in 2020

Three years ago, the NHS was brought to a standstill for several days due to the WannaCry outbreak, affecting hospitals and GP surgeries across England and Scotland. 

It remains one of the most well-known examples of a ransomware attack, having afflicted over 200,000 computers across numerous organisations around the world.

WannaCry was delivered via emails which tricked the recipient into opening attachments and releasing malware onto their system in a technique known as phishing. 

Once a computer has been affected, the malware locks up its files and encrypts them in a way that you cannot access them anymore. It then demands payment in bitcoin in order to regain access.

A report published by the UK Government estimates the WannaCry virus cost the NHS approximately £19m in lost output and £73m in IT costs.

Unfortunately, recent ransomware statistics show that such attacks have risen sharply in 2020.

This guidance helps private and public sector organisations deal with the effects of malware (which includes ransomware). It provides actions to help organisations prevent a malware infection, and also steps to take if you're already infected.

Following this guidance will reduce:

  • the likelihood of becoming infected

  • the spread of malware throughout your organisation

  • the impact of the infection

If you've already been infected with malware, please refer to the National Cyber Security Centre's list of urgent steps to take.

What is malware?

Malware (malicious software) is an umbrella term that describes any malicious program or code that is harmful to systems. It seeks to invade, damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by taking partial control over a device’s operations. Like the human flu, it interferes with normal functioning.

It can steal, encrypt, or delete your data, alter or hijack core computer functions, and spy on your computer activity without your knowledge or permission.

What is ransomware?

Ransomware is a form of malware that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment. Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred pounds to thousands, payable to cyber criminals in Bitcoin.

Some ransomware will also try to spread to other machines on the network, such as the Wannacry malware that impacted the NHS in May 2017.

Should I pay the ransom?

Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. If you do pay the ransom:

  • there is no guarantee that you will get access to your data or computer

  • your computer will still be infected

  • you will be paying criminal groups

  • you're more likely to be targeted in the future

Attackers will also threaten to publish data if payment is not made. To counter this, organisations should take measures to minimise the impact of data exfiltration. The NCSC's guidance on Protecting bulk personal data and the Logging and protective monitoring guidance can help with this.

Using a defence in depth strategy

Since there's no way to completely protect your organisation against malware infection, you should adopt a 'defence-in-depth' approach. This means using layers of defence with several mitigations at each layer. You'll have more opportunities to detect malware, and then stop it before it causes real harm to your organisation. You should assume that some malware will infiltrate your organisation, so you can take steps to limit the impact this would cause, and speed up your response.

These steps include:

Action 1: Make regular backups

Action 2: Prevent malware from being delivered and spreading to devices

Action 3: Prevent malware from running on devices

Action 4: Prepare for an incident

Detailed advice on how to implement these steps can be found on the NCSC website.


READ MORE: Invoice fraudsters targeting East Midlands businesses


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.