Ransomware is still one of the biggest threats to organisations today and is believed to cost UK companies £346 million per year.
This article has been written by EMSOU and seeks to promote good cyber security among businesses and the public. If you require any further assistance or guidance please contact the EMSOU Protect Team or your local Force Protect Team.
One of the widest and most well know ransomware attacks of recent years was WannaCry, allegedly developed by the North Korean Lazarus group and deployed in May 2017, it affected more than 200,000 computers in a few days. It spread rapidly and according to the Department of Health and Social Care (DHSC) report cost the NHS alone over £90 million.
What is a Ransomware attack? Ransomware is a malicious software (malware) designed to prevent users from accessing files on their computer. Once the malware has infected a device this then begins to encrypt files rendering them inaccessible without a decrypt key.
A ransom demand is made by either leaving a note that is readable on the machine or via email. This demand asks for financial benefit in exchange for the encryption key for the files. This can cause chaos for organisations and can have a huge impact; Financial and reputational damage as well as a cover for the exfiltration of data causing further losses and possible fines. How is Ransomware spread? The most common method of distributing ransomware is through email, tricking users into opening attachments or clicking on links that deploy malware. Other methods involve automated attacks that scan the internet for systems with weak protection –services like Remote Desktop Protocol are a popular target and susceptible to brute force password attacks. Once a foothold is gained the attackers will deploy ransomware.
Unlike other ransomware, WannaCry spreads on its own, its worm functionality coming from the EternalBlue exploit, which takes advantage of a vulnerability in Windows’ Server Message Block (SMB) protocol. Machines infected with WannaCry scan the Internet for other machines running a vulnerable version of SMB. If one is found, the infected computer uses EternalBlue to send and run a copy of WannaCry on the targeted computer.
Protection: Disrupt the potential attack by:
Employing an effective Vulnerability management and Patching procedure
Secure RDP services to use Multi Factor Authentication (MFA)
Install, enable and update Antivirus protection software
Implement prevention mechanics for Phishing attacks
Disable or constrain scripting environments and macros
Implement an effective back up procedure, which is tested and is offline
Have a documented incident response to ransomware and other cyber attacks
Ensure any unused network ports are disabled and inactive
Bind ports to mac addresses to prevent use of in use ports
Ensure good physical security is in place to vital areas
Provide end user training
Use free vulnerability scanners
Have a strong policy on access controls: and the allocation of privileges.
Regular reviews to check:
○ There are no defunct accounts
○ There are no default accounts
○ There is no privilege ‘creep’ whenever an employee changes job roles.
○ Network access removed when an employee leave.
Keep an inventory of all devices connected to you network
Setup alerts for new connections.
What to do if you are subject to a Ransomware attack
Immediately disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based.
Consider turning off Wi-Fi, and disconnecting from the internet.
Reset credentials including passwords - verify that you are not locking yourself out of systems that are needed for recovery.
Safely wipe the infected devices and reinstall the OS.
Before you restore from a backup, verify that it is free from any malware. - Only restore from a backup if the backup and device connecting to it are clean.
Connect devices to a clean network to download, install and update the OS and software.
Install, update, and run antivirus software.
Reconnect to the network.
Monitor network traffic and run antivirus scans to identify if any infection remains.
Report to Action Fraud
Further guidance can be found here on the NCSC (National Cyber Security Centre) site.
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to firstname.lastname@example.org. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).