Geoff E, deputy head of consultancy and advice at the National Cyber Security Centre, writes about its updated guidance on mitigating malware and ransomware.
February feels like a long time ago now, which is when we published version 1.0 of the NCSC's guidance on mitigating malware and ransomware.
Over the following six months, we witnesses an unprecedented change in the way we live and work, with more of our lives moving online.
Consequently, the nature of cyber attacks (and the way in which they are conducted) has changed, with a growing threat from ransomware attacks.
Because of this we recently published version 2.0 of the guidance, which can be found here.
With each incident the NCSC manages, we continue to learn. We learn about how criminals compromise networks, how they deploy malware, and the mitigations that - if in place - would have prevented the attack.
Knowledge like this, which we acquire from the ‘cyber frontline’, is invaluable and informs the guidance we publish. This is why we've updated the mitigating malware and ransomware guidance; to ensure that it reflects the changing nature of the incidents we are dealing with.
The guidance still helps organisations manage the threat posed by malware and ransomware, but there are two things I wanted to re-emphasise:
Having up-to-date and tested offline backups - offline backups are the most effective way to recover from a ransomware attack.
Disabling or constraining scripting environments - disabling or constraining scripting environments makes it much harder for an attacker to deploy ransomware using batch or PowerShell scripts.
It’s the same, but different
On the surface this guidance may feel the same, but quite a lot has changed. Specifically we have:
added a new section to help organisations prepare for an incident
updated the attackers’ modus operandi
provided additional detail regarding backups, preventing malware from being delivered, spreading to devices, and running on them
re-emphasised some of our key messages if your organisation has already been infected with malware
Whilst we recognise that not all organisations have crack teams of security architects at their disposal, we believe this guidance provides an achievable set of actions that most organisations will be able to implement. This is why we have also included additional and updated references to resources, which will help you prepare and respond to malware attacks.
Malware attacks, in particular ransomware attacks, can be devastating for organisations because computer systems are no longer available to use, and in some cases data may never be recovered. If recovery is possible, it can take several weeks, but your corporate reputation and brand value could take a lot longer to recover. However, we are confident that following this guidance will reduce the likelihood of becoming infected, the spread of malware throughout your organisation, and the impact of the infection.
Geoff E Deputy Head of Consultancy and Advice, NCSC