We recognise that we have already said a lot about ransomware, so this section is a very brief overview with signposts to new developments, where appropriate.
Malware (malicious software) is any software that is used with malicious intent to harm systems. It is deliberately damaging to computer systems. Although the motives can be varied, many criminals are looking to disrupt operations and benefit financially. Malware attacks are rising year-on-year.
Ransomware is the most common malware, and often the most harmful. Typically, ransomware involves criminals encrypting an organisation’s files to make them inaccessible. They then demand money in exchange for providing access to the information. More recently, ransomware is being used to describe different types of cyber extortion, including information theft.
Ransomware is still a persistent and significant online threat to the UK economy and people. If you become a victim of ransomware, you should assume the information has been exfiltrated (extracted).
Jointly with the NCSC, we have developed our position about ransom payments. Specifically, that paying a ransom to unlock your information does not reduce the risk to people and it does not safeguard the information. Attackers are known to publish information on the dark web. Some criminals have exfiltrated (extracted) information before encrypting targeted networks, subsequently threatening to leak the information unless a ransom is paid (known as double extortion ransomware). Leaked information is vulnerable to criminal misuse and leads to financial losses. But more importantly, it increases the risk to people who need extra support to protect themselves.
Most ransomware incidents are usually the result of poor cyber hygiene rather than sophisticated attack techniques. Ransomware attacks are frequently enabled by phishing emails or by exploiting remote services, for example remote desktop protocol (RDP) which is often used by administrators to remotely connect to servers on their organisation's network. If these remote services are not secured appropriately, they can provide an easily exploitable access point into a corporate network.
In some cases, attackers will join forums which steal and sell remote access credentials to the highest bidder. These are often referred to as access brokers. They could also sell valid session cookies and other credentials that could be exploited to gain access to an organisation’s internal systems.
Example: Malware leads to loss of access controls and a fine
Facts
An attacker had compromised a retailer's infrastructure and gained control of multiple domain administrator accounts.
Malware installed by the attacker was running on 5,390 Point of Sale (POS) terminals in stores which take in-store payment. Therefore, the attacker was able to collect payment card details for any transactions that used the POS terminals during that period.
What could have been done differently?
- Use network segregation - sufficient internal network segmentation could have contained the compromise to a particular section of the network.
- Put effective local firewalls in place.
- Implement more timely patch management.
- Undertake adequate vulnerability scanning.
- Apply allowlisting consistently and appropriately.
- Implement an effective system of logging and monitoring.
- Update software promptly.
- Implement point-to-point encryption.
- Secure the domain administrator account with appropriate controls.
- Implement standard builds for all system components based on industry standard hardening guidance.
What might help to reduce the risk of malware?
In practice, there are several key security principles you should consider:
- Follow good cyber hygiene; refer to NCSC’s 10 steps to cyber security as a helpful guide.
- Use multi-factor authentication (MFA /2FA), protect user credentials and information used in credential verification, and utilise the principle of ‘least privilege’ for accounts. Be mindful of new attack techniques that seek to bypass MFA and deploy appropriate controls to mitigate those, in line with your risk assessment.
- Have appropriate, secure, and tested back-ups.
- Provide appropriate security training for staff.
- Actively manage and monitor systems to detect issues early.
- Test response and recovery plans.
- Sign up to the NCSC’s Early Warning service, where appropriate, and keep up-to-date with security issues.
Example: Unavailable systems due to ransomware lead to a fine
Facts
A legal firm determined that it had been subjected to a ransomware attack after parts of its IT system became unavailable and they discovered a ransomware note.
The attack encrypted civil and criminal legal case bundles stored on an archive server and the encryption of backups. This resulted in personal information being unavailable (via encryption) and a loss of confidentiality (via access to, and exfiltration of, the personal information).
The attack
The legal firm could not determine conclusively how the attacker was able to access the network. However, it did find evidence of a known system vulnerability that could have been used to either access the network or further exploit areas of the firm, once inside the network.
Once inside the network, the attacker installed various tools to enable them to create their own user account to execute the attack. The attacker then encrypted 972,191 individual files and 24,711 court bundles. The attacked then exfiltrated 60 of these bundles and published them on an underground market site (the "dark web").
What could have been done differently?
- Use multi-factor authentication (MFA) for the remote access solution.
- Implement more timely patch management.
- Use encryption for the archived documents.
Further reading
- 10 steps to cyber security - NCSC
- Ransomware guidance - ICO
- Joint ICO and NCSC letter re: ransom payments
- Ransomware, extortion, and the cyber crime ecosystem white paper - NCSC
- Multi-factor authentication - NCSC
- NCSC Annual Review 2022
- RUSI Ransomware: a perfect storm
- "What's happened to my data?" blog - NCSC