Malware is malicious software, which – if able to run – can cause harm in many ways, including:
- causing a device to become locked or unusable
- stealing, deleting or encrypting data
- taking control of your devices to attack other organisations
- obtaining credentials which allow access to your organisation’s systems or services that you use
- ‘mining’ cryptocurrency
- using services that may cost you money (e.g. premium rate phone calls).
Ransomware is a type of malware that prevents you from accessing your computer (or the data that is stored on it). The computer itself may become locked, or the data on it might be stolen, deleted or encrypted. Some ransomware will also try to spread to other machines on the network, such as the Wannacry malware that impacted the NHS in May 2017. Ransomware is nothing new. The first recorded example was in the late 1980s, but in the last 3 years there’s been a real explosion in growth.
Usually you’re asked to contact the attacker via an anonymous email address or follow instructions on an anonymous web page, to make payment. The payment is invariably demanded in a cryptocurrency such as Bitcoin, in order to unlock your computer, or access your data. However, even if you pay the ransom, there is no guarantee that you will get access to your computer, or your files.
Occasionally malware is presented as ransomware, but after the ransom is paid the files are not decrypted. This is known as wiper malware. For these reasons, it’s essential that you always have a recent offline backup of your most important files and data.
Should you pay the ransom?
Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. If you do pay the ransom:
- there is no guarantee that you will get access to your data or computer
- your computer will still be infected
- you will be paying criminal groups
- you’re more likely to be targeted in the future
Attackers will also threaten to publish data if payment is not made. To counter this, organisations should take measures to minimise the impact of data exfiltration.
Using a defence in depth strategy
Since there’s no way to completely protect your organisation against malware infection, you should adopt a ‘defence-in-depth’ approach. This means using layers of defence with several mitigations at each layer. You’ll have more opportunities to detect malware, and then stop it before it causes real harm to your organisation.
You should assume that some malware will infiltrate your organisation, so you can take steps to limit the impact this would cause, and speed up your response.
Actions to take
- Make regular backups
- Prevent malware from being delivered and spreading to devices
- Prevent malware from running on devices
- Prepare for an incident
If your organisation has already been infected with malware, these steps may help limit the impact:
- Immediately disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based.
- In a very serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary.
- Reset credentials including passwords (especially for administrator and other system accounts) – but verify that you are not locking yourself out of systems that are needed for recovery.
- Safely wipe the infected devices and reinstall the OS.
- Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device you’re connecting it to are clean.
- Connect devices to a clean network in order to download, install and update the OS and all other software.
- Install, update, and run antivirus software.
- Reconnect to your network.
- Monitor network traffic and run antivirus scans to identify if any infection remains.
Extract taken from NCSC.gov which has numerous guidelines to assist you.