Search

Ransomware: What you NEED to know

Ransomware is still one of the biggest threats to organisations today and is believed to cost UK companies £346 million per year.

This article has been written by EMSOU and seeks to promote good cyber security among businesses and the public. If you require any further assistance or guidance please contact the EMSOU Protect Team or your local Force Protect Team.

One of the widest and most well know ransomware attacks of recent years was WannaCry, allegedly developed by the North Korean Lazarus group and deployed in May 2017, it affected more than 200,000 computers in a few days. It spread rapidly and according to the Department of Health and Social Care (DHSC) report cost the NHS alone over £90 million. ​​

What is a Ransomware attack? Ransomware is a malicious software (malware) designed to prevent users from accessing files on their computer. Once the malware has infected a device this then begins to encrypt files rendering them inaccessible without a decrypt key.

A ransom demand is made by either leaving a note that is readable on the machine or via email. This demand asks for financial benefit in exchange for the encryption key for the files. This can cause chaos for organisations and can have a huge impact; Financial and reputational damage as well as a cover for the exfiltration of data causing further losses and possible fines. How is Ransomware spread? The most common method of distributing ransomware is through email, tricking users into opening attachments or clicking on links that deploy malware. Other methods involve automated attacks that scan the internet for systems with weak protection –services like Remote Desktop Protocol are a popular target and susceptible to brute force password attacks. Once a foothold is gained the attackers will deploy ransomware.


Unlike other ransomware, WannaCry spreads on its own, its worm functionality coming from the EternalBlue exploit, which takes advantage of a vulnerability in Windows’ Server Message Block (SMB) protocol. Machines infected with WannaCry scan the Internet for other machines running a vulnerable version of SMB. If one is found, the infected computer uses EternalBlue to send and run a copy of WannaCry on the targeted computer.



Protection: Disrupt the potential attack by:

  • Employing an effective Vulnerability management and Patching procedure

  • Secure RDP services to use Multi Factor Authentication (MFA)

  • Install, enable and update Antivirus protection software

  • Implement prevention mechanics for Phishing attacks

  • Disable or constrain scripting environments and macros


Damage Limitation:

  • Implement an effective back up procedure, which is tested and is offline

  • Have a documented incident response to ransomware and other cyber attacks

  • Ensure any unused network ports are disabled and inactive

  • Bind ports to mac addresses to prevent use of in use ports

  • Ensure good physical security is in place to vital areas

  • Provide end user training

  • Use free vulnerability scanners

  • Have a strong policy on access controls: and the allocation of privileges.

  • Regular reviews to check:

○ There are no defunct accounts

○ There are no default accounts

○ There is no privilege ‘creep’ whenever an employee changes job roles.

○ Network access removed when an employee leave.

  • Keep an inventory of all devices connected to you network

  • Setup alerts for new connections.

What to do if you are subject to a Ransomware attack

  • Immediately disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based.

  • Consider turning off Wi-Fi, and disconnecting from the internet.

  • Reset credentials including passwords - verify that you are not locking yourself out of systems that are needed for recovery.

  • Safely wipe the infected devices and reinstall the OS.

  • Before you restore from a backup, verify that it is free from any malware. - Only restore from a backup if the backup and device connecting to it are clean.

  • Connect devices to a clean network to download, install and update the OS and software.

  • Install, update, and run antivirus software.

  • Reconnect to the network.

  • Monitor network traffic and run antivirus scans to identify if any infection remains.

  • Report to Action Fraud

Further guidance can be found here on the NCSC (National Cyber Security Centre) site.



Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.