Mitigating malware and ransomware attacks
Ransomware and malware are a growing threat to cyber security. They can affect any organization. Working with law enforcement, international partners, and the government, our priority is to minimize any damage to the UK. The NCSC assists ransomware victims to recover and has issued several advisories in recent years to combat this trend.
This guideline helps public and private sector organizations deal with malware (including ransomware). This guideline provides steps for organizations to prevent malware infections and steps to follow if they are already infected.
This guidance will help you to reduce:
- The possibility of getting infected
- Spread of malware within your organization
- The impact of the infection
If you’ve already been infected with malware, please refer to our list of urgent steps to take
- Smaller organizations should refer to the NCSC’s Small Business Guide.
- Larger organizations/enterprises should refer to the NCSC’s Device Security Guidance.
- For information about protecting your devices at home, please read our guidance especially written for individuals and families.
What is malware?
Malware is malicious software that can be run and cause damage in many ways.
- Locking or making a device unusable
- Data stealing, deletion, or encryption
- To attack other organizations, you can take control of your devices
- You need to obtain credentials that allow you access to the systems and services of your organization.
- “Mining” cryptocurrency
- Services that could cost you money (e.g. premium rate phone calls).
What is ransomware?
Ransomware is a type of malware that blocks you from accessing your computer or the data stored therein. Ransomware can lock your computer or cause data to be deleted, encrypted, or stolen. Some ransomware will also try to spread to other machines on the network, such as the Wannacry malware that impacted the NHS in May 2017.
You will usually be asked to contact the attacker using an anonymous email address or to follow instructions on an anonymized web page to make a payment. To unlock your computer or gain access to your data, the ransom is usually demanded in cryptocurrencies like Bitcoin. However, you cannot guarantee access to your computer or files even if the ransom is paid. Sometimes malware can be detected.PresentRansomware is ransomware that locks files, but the ransom has been paid. This is known as wiper malware. It is essential to have an offline backup of all your important files and data.
Do I have to pay the ransom?
Law enforcement does not condone, encourage, or endorse ransom demand payments. You must pay the ransom.
- There is no guarantee that your computer or data will be accessible to you.
- Your computer will remain infected
- You will pay criminal groups
- You are more likely to be targeted in future
If payment is not received, attackers will threaten to publish the data. Organizations should take steps to minimize the damage of data exfiltration. This guidance, along with the Logging and protective Monitoring guidance from NCSC, can be helpful.
A defense in depth strategy is used
There is no other way. completely protect your organization against malware infection, you need to adopt a defense-in-depth approach. This involves using multiple mitigations at each level of defense. This will give you more chances to detect malware and stop it from causing real damage to your organization. It is normal to assume that malware will eventually infect your organization.WillInfiltrate your organization, so you can take measures to reduce the impact and speed up your response.
1. Make backups regularly
You should have up-to-date backups to recover from ransomware attacks.
- Regular backups of your most critical files are a good idea. Every organization is different so make sure you know how to restore files from backups. Also, ensure that it works as it should.
- Ransomware is known to actively target backups to increase their chances of getting paid. Our blog on ‘Offline backups in an online world’ provides useful additional advice for organizations.
- Multiple copies of files can be made using different storage locations and backup solutions. Do not rely on two copies of a removable drive.
- Check that all devices containing your back-ups, such as USB sticks and external hard drives, are working properly. not permanently connected to your network To make recovery more difficult, attackers will target backup devices and solutions that are connected to your network.
- You must ensure that the cloud service does not delete backups from previous versions and allows you to restore them. This will protect both your backup and live data. Cloud services can often synchronize immediately after files are replaced with encrypted copies.
- Before you begin recovery, ensure that backups only are connected to clean devices.
- Before you restore files, scan backups for malware. Ransomware could have infiltrated your network for a time and then replicated to backups.
- Patch products that are used as backup regularly to prevent attackers from exploiting any known vulnerabilities.
Ransomware attackers may have affected recovery processes or destroyed copies of files. Backup solutions and backup accounts should be protected with Privileged Access Workstations and hardware firewalls to ensure IP allows listing. Multi-factor Authentication (MFA) should be enabled, and the MFA method should not be installed on the same device that is used for the administration of backups. Privileged Access Management (PAM) solutions remove the need for administrators to directly access high-value backup systems.
Action 2: Stop malware spreading to devices and being delivered
A combination of the following can help reduce the chance of malicious content reaching your device:
- Filtering allows you to filter only file types that you would expect to be received
- Block websites are known to be malicious
- Actively inspecting content
- Use signatures to block known malignant code
These are usually done by network services and not users’ devices. Examples include:
- mail filtering (in combination with spam filtering) which can block malicious emails and remove executable attachments. NCSC’s Mail Check platform can also help eligible organizations with this. Check if your organization is eligible for a Mail Check.
- Intercepting proxy servers, which are used to block known malicious sites
- internet security gateways that can check for malware in certain protocols, including encrypted protocols, are available to inspect the content.
- Safe browsing lists in your web browsers can block access to sites that are known to host malicious content
Eligible organizations are encouraged to subscribe to the NCSC Protective Domain Name Service. This will stop users from accessing known malicious sites. Check if your organization is eligible for PDS.
Attackers who gain remote access via unpatched remote access devices or exposed services like Remote Desktop Protocol (RDP) are increasingly using ransomware to spread their malicious intent. This should be prevented by organizations:
- enable MFA at all remote access points into the network, and enforce IP allow listing using hardware firewalls
- Use a VPN that conforms to NCSC recommendations for remote access to services. Software as a service or other services exposed over the internet should use Single-Sign-On (SSO), where access policies can easily be defined. (For more information, see our blog post on protecting management interfaces).
- Remote access should be provided using the least privilege model. To authenticate, you can use low privilege accounts. An audit process is used to allow remote users to increase their privileges.
- patch known vulnerabilities in all remote access and external-facing devices immediately (referring to our guidance on how to manage vulnerabilities within your organization if necessary), and follow vendor remediation guidance including the installation of new patches as soon as they become available
Prevent malware from spreading across your organization by following NCSC guidance on preventing lateral movement. Also, you should:
- use MFA to authenticate users so that if malware steals credentials they can’t easily be reused
- ensure obsolete platforms (Operating Systems (OS) and apps) are properly segregated from the rest of the network – refer to NCSC guidance on Obsolete Platforms for further details
- To limit the spread of malware, it is important to regularly review permissions and to remove any that are not required.
- System administrators should not use their accounts to browse the internet or email (to stop malware from running with their system privileges).
- Good asset management includes keeping track of the versions of software installed on your devices to ensure you can quickly target security updates
- Keep devices and infrastructure updated, particularly security-enforcing devices at the network boundary (e.g. firewalls or VPN products).
Action 3: Stop malware running on devices
The ‘defense-in-depth approach assumes that malware can reach your devices. It is important to take preventive measures to stop malware from running. You will need to take different measures depending on the OS, version, and device type. However, you should generally use device-level security features. Organizations should:
- Centrally manage devices to ensure that only trusted applications can run on the devices. This includes technologies like AppLocker or trusted app stores (or any other trusted places).
- consider whether enterprise antivirus or anti-malware products are necessary, and keep the software (and its definition files) up to date
- provide security education and awareness training to your people, for example, NCSC’s Top Tips for Staff
- enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy – you can use AppLocker as an interface to UMCI to automatically apply Constrained Language mode
- protecting your systems from malicious Microsoft Office macros
- Disable autorun for mounted media (prevent removable media from being used if it isn’t necessary)
Additionally, attackers could force their code to execute by exploiting flaws in the device. This can be prevented by making sure that your devices are up-to-date and well-configured. We recommend the following:
- Install security updates as soon they are available to fix exploitable bugs within your products
- enable automatic updates for OSs, applications, and firmware if you can
- To take advantage of security features, make sure you use the most recent OSs and apps
- Configure network and host-based firewalls to block inbound connections by default
The NCSC’s Device Security Guidance provides advice on how to achieve this across a variety of platforms.
Step 4: Be prepared for an incident
Ransomware attacks and malware can cause serious damage to organizations. Computer systems may be unavailable for use, and data may not be available. While it is possible to recover your data, it may take several weeks. However, your brand and reputation could be affected. These steps will ensure that your company can quickly recover.
- Identify and assess the impact of malware attacks on your most important assets.
- Plan for an attack, even if you think it is unlikely. Many organizations have been affected by collateral malware even though they weren’t the intended targets.
- Create an internal and/or external communication strategy. The correct information must reach the appropriate stakeholders at the right time.
- Decide how you will respond in the face of ransom demands and the threat that your organization’s data could be published.
- If you don’t have access to your computer systems, ensure that incident management tools and support resources like checklists and contact information are readily available.
- Learn how to identify your legal obligations in reporting incidents to regulators and how to approach them.
- Exercise your incident management plan. This will help clarify the roles of staff and third parties and prioritize system recovery. If a ransomware attack spread and required the network to be shut down, this would be something you should consider.
- How long it would take for the images to be restored and re-configured to allow you to use them?
- How to rebuild virtual environments and physical servers
- What processes are required to restore files and servers from your backup solution?
- What processes should be followed if your onsite backup servers or cloud backup servers become unusable?
- How you would ensure that critical business services are still available
- Revision your incident management plan after an incident to incorporate lessons learned to prevent the same thing from happening again.
The NCSC’s free Exercise in a Box online tool contains materials for setting up, planning, delivery, and post-exercise activity.
Here are steps to follow if your organization is already infected
These steps can help to limit the damage if your organization has been infected by malware.
- Disconnect infected laptops, tablets, and computers immediately from all network connections, wired or wireless, no matter how mobile or phone-based.
- If you are in a serious situation, it might be worth turning off Wi-Fi and disabling all core network connections (including switches), and disconnecting from the internet.
- You can reset passwords, especially for administrators and other systems accounts. However, you should ensure that you don’t lock yourself out of any recovery-related systems.
- Reinstall the OS and wipe out infected devices.
- Verify that the backup is clean before you attempt to restore it. Only restore from a backup when you are certain that it is safe to do so. very you can be confident that your backup is available and make sure the device to which you are connecting is clean.
- To download, install, and update OS software, connect devices to a network.
- Antivirus software can be installed, updated, and used.
- Connect to your network.
- To detect any remaining infections, monitor network traffic and run anti-virus scans.
The NCSC has jointly published an advisory: Technical Approaches to Uncovering and Remediating Malicious Activity, which provides more detailed information about remediation processes.
Notice: Most ransomware files can’t be decrypted by anyone but the attacker. The good news is that the ransomware can be decrypted by anyone other than the attacker.No More Ransom ProjectThis site contains a selection of anti-malware tools and resources that can be used to decrypt files.
- Cyber security incidents can be reported to the NCSC by visiting https://report.ncsc.gov.uk/. We also encourage reporting to the Action Fraud website.
- The NCSC runs a commercial scheme called Cyber Incident Response, where certified companies provide support to affected organizations.
- The Cyber Security Information Sharing Partnership (CiSP) offers organizations in the UK a safe portal in which to discuss and share intelligence that can assist the community and raise the UK’s cyber resilience. Our members are encouraged to share technical information as well as indicators of compromise to reduce the impact of ransomware and other forms of malware.
- You may also wish to consider the Cyber Essentials certification scheme (which covers a number of these mitigations), so your customers and partners can see that you have addressed these risks. These mitigations are also effective against other types, like phishing.
- Follow the NCSC guidance on protecting your organization from phishing attacks.