The impact of a ransomware attack on an organisation can be devastating. So what should board members be doing to ensure that their organisation is prepared for such a ransomware attack, and in the best possible place to respond quickly?
Ransomware is the subject of this NCSC spotlight topic for board members, building on the guidance given in the Cyber Security Toolkit for Boards.
This blog, part of the Cyber Security Toolkit for Boards, explains the basics of ransomware, and suggests relevant questions that board members might want to ask their technical experts to help drive greater cyber resilience against these types of attack.
Why should board members concern themselves with ransomware?
Ransomware attacks can be massively disruptive to organisations, with victims requiring a significant amount of recovery time to re-enable critical services. These events can also be high profile in nature, with wide public and media interest.
What do board members need to know about ransomware?
Board members don’t need to be able to distinguish their Trickbots and their Ryuks, but knowing the basics of how ransomware works will mean they can have constructive conversations with their technical experts on the subject.
So what do you need to know about ransomware?
Ransomware is a type of malware that prevents you from accessing your computer (or the data stored on it). Typically, the data is encrypted (so that you can’t use it), but it may also be stolen, or released online.
Most ransomware we see now is ‘enterprise-wide’. This means it’s not just one user or one machine that is affected but often the whole network. Once they’ve accessed your systems, attackers typically take some time moving around, working out where critical data is saved and how backups are made and stored. Armed with this knowledge the attacker can encrypt the entire network at the most critical moment.
The attacker will then usually make contact with the victim using an untraceable email address (or an anonymous web page), and demand payment to unlock your computer and/or access your data. Payment is invariably demanded in a cryptocurrency such as Bitcoin and may involve negotiation with the humans behind the ransomware (who have spent time in your organisation’s networks assessing how much you might be willing or able to pay).
However, even if you do pay the ransom, there is no guarantee that you will get access to your computer, or your files.
We have also seen cyber criminals threaten to release sensitive data stolen from the network during the attack if the ransom is not paid.
The government strongly advises against paying ransoms to criminals, including when targeted by ransomware. There are practical reasons for this (see question 4) and also concern that paying ransoms likely encourages cyber criminals to continue such attacks.
Five key questions for board members to ask about ransomware:
Q1. As an organisation and as board members, how would we know when an incident occurred?
There is often a significant period of time (known as ‘dwell time’) between an attacker gaining access to your systems and the ransomware itself being launched. Identifying unauthorised access to systems early can help stop an attack, so you need to consider:
Has the board explicitly conveyed the threshold for when it wants to be informed of an incident?
What monitoring is in place around those critical assets (like personal data) that would have an impact if compromised, lost or changed? Bear in mind that an attacker may have gained access through non-critical systems, so regular monitoring across assets is important.
Who examines the logs and are they sufficiently trained to identify anomalous activity?
What mechanisms are there in place for staff to report any suspicious activity?
Are the thresholds for alerts set to the right level (that is, are they low enough to give suitable warning of potential incidents, but also high enough so that the team dealing with them are not overloaded with irrelevant information) ?
How confident are you that you know all the IT assets that your organisation has, and what the state of those assets are? Many attacks can come in via equipment that organisations are unaware of.
Q2. As an organisation, what measures do we take to minimise the damage an attacker could do inside our network?
Ransomware attacks cause damage and can spread rapidly within your systems. You therefore might like to ask:
How does the organisation authenticate and grant access to users or systems? Are these measures hard to bypass, and is access only afforded if necessary?
How would the organisation identify an attacker's presence on the network, (e.g. is monitoring in place)?
How is the network separated so that if an attacker gets access to one device, they will not have access to the full range of the technical estate?
Further details on these three points are provided in the NCSC guidance on preventing lateral movement.
Q3. As an organisation, do we have a incident management plan for cyber incidents and how do we ensure it is effective?
Organisations should think in terms of ‘when’ rather than ‘if’ they experience by a significant cyber incident. So it’s essential to plan your response carefully and to practice (or ‘exercise’) your response.
A basic incident management plan should include:
Identifying the key contacts (e.g. incident response team or provider, senior management, legal, PR, and HR contacts, insurance providers).
Clear escalation routes (for example to senior management) and defined processes for critical decisions.
Clear allocation of responsibility (specifically whether this is for normal working hours or 24/7).
At least one conference number which is available for urgent incident calls.
Guidance on regulatory requirements (such as when incidents need to be reported and when to engage legal support).
Contingency measures for critical functions.
A basic flowchart or process describing the full incident lifecycle, that can be accessed even if you do not have access to your computer systems. Likewise you should ensure that most relevant information (e.g. incident management playbooks and resources such as checklists and contact details) are available ‘offline’.
To assess the effectiveness of your plans you should also ask:
How do we practice for cyber incidents, how often, and how do we learn from these exercises? (For example, the NCSC’s Exercise in A Box is a free tool that offers discussion-based and simulation exercises, including ransomware scenarios).
Q4. Does our incident management plan meet the particular challenges of ransomware attacks?
There are particular features of ransomware attacks that more general incident management plans may not fully address. It is therefore important to discuss:
How might we respond to a ransom demand when attackers are threatening to publish sensitive data? Who would make this decision? (As noted above, the UK government strongly advises against paying ransoms. Furthermore, there is no guarantee that doing so will guarantee a successful outcome as it will not protect networks from future attacks or prevent the possibility of future data leaks).
Are we prepared for a recovery that could take several weeks (with damage to corporate reputation and brand likely to last longer)?
Q5. How is data backed up, and are we confident that backups would remain unaffected by a ransomware infection?
Ransomware frequently targets an organisation’s data backups, as this increases the likelihood of an organisation paying. So it is essential that the board seek assurance on how backups are being made, and how secure these are.
You might like to ask:
What data is deemed as ‘critical’ and how frequently is this backed up?
How frequently is non-critical data backed up?
How confident are you that you would be able to recover from these backups? How frequently is this checked?
How are backups stored? Are they offline and kept in a different location from your network and systems, or in a cloud service?
Does the backup policy follow the principles outlined in our blog 'Offline backups in an online world'?
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to firstname.lastname@example.org. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).