Since the beginning of 2016, ransomware has been a growing global cyber security threat, and one which could affect any organisation that does not have appropriate defences. Ransomware was profitable to criminal actors through an economy of scale; they were successful by indiscriminately targeting high volumes of users of vulnerable devices. Even with only modest ransom demands the number of successful attacks was often enough to make the criminal actors a decent profit.
Throughout 2018 there appears to have been a trend for more targeted ransomware attacks, where criminal actors conduct a thorough analysis of the victim networks to understand the 'value' of the victim organisation and set a ransom demand based on that perceived value. Through analysis of the victim network and lateral movement malicious actors look to ensure that their action has maximum impact on the victim organisation - potentially denying access to business critical files and systems, and preventing the operations of the victim organisation.
While ransomware against Windows operating systems has been commonplace for some years, attacks against Mac and Linux systems are also seen.
The methods for infecting systems with ransomware are similar to those used with other types of malicious software, as are the steps organisations can take to protect themselves.
Depending on your level of preparation, ransomware infection can cause minor irritation or wide-scale disruption.
This guidance provides an overview of ransomware, suggests some simple steps to prevent a ransomware incident, and advises on what to do if your organisation is infected by ransomware.
What is ransomware?
There are two types of ransomware; the first type encrypts the files on a computer or network. The second type locks a user's screen. Both types require users to make a payment (the 'ransom') to be able to use the computer normally again. The ransom is often demanded in a cryptocurrency such as Bitcoin.
In many cases, the ransom amount is quite modest. This is designed to make paying the ransom the quickest and cheapest way to return to normal use. However, there is no guarantee that the key or password (to 'unlock' the computer) will be provided upon payment of the ransom.
The scale and automated nature of a ransomware attack makes it profitable through economies of scale, rather than through extorting large amounts from targeted victims. In some cases, ransomware has been known to strike the same victim more than once in succession. Ransomware attacks are not normally targeted at specific individuals or systems, so infections can occur in any sector or organisation.
How does ransomware infect your system?
Computers are infected with ransomware via a number of routes. Sometimes users are tricked into running legitimate-looking programs, which contain the ransomware. These may arrive via authentic-looking email attachments or links to apparently genuine websites (otherwise known as phishing).
More recently, we have seen ransomware infections which rely on unpatched vulnerabilities in software, and simply visiting a malicious website can be enough to cause a problem. A range of attack vectors have been used, for example vulnerable web browsers, legacy protocols (such as SMBv1) or remote administration tools such as Remote Desktop Protocol (RDP). Here, attackers have developed methods of identifying and exploiting vulnerable RDP sessions by stealing login credentials and other sensitive information. Other attack vectors are propagated by the use of other malware such as trojans.
Although less common, data transfers between computers (such as via USB memory sticks) can also cause ransomware to spread.
Preventing ransomware using good enterprise security
Ransomware is one of many types of malware, and the methods for its delivery are common to most other types. You can minimise the risk of being infected by ransomware by taking the same precautions necessary to guard against malware in general.
The following mitigations are examples of good security practice, and link to other NCSC guidance where available:
- Defend against phishing attacks - phishing works by exploiting people's natural instincts to be helpful and efficient. A combination of technological, process and people-based defences will help organisations minimise their users exposure to phishing, recognise and report an attack, protect against attacks that slip through and respond to an incident. See our Phishing guidance for advice on the multi-layered approach to improving resilience and minimising the disruption to your organisation an attack may cause.
- Vulnerability management and patching - some ransomware gains control by exploiting software vulnerabilities in operating systems, web browsers, browser plug-ins or applications. Often these vulnerabilities have been publicly known about for some time and the software providers will have made patches available to mitigate them. Deploying these patches, or otherwise mitigating the vulnerabilities, is the most effective way of preventing systems being compromised. However, as well as patching the devices used for web browsing and email, it's important to patch the systems they are connected to, since some ransomware is known to move around systems, encrypting files as it goes. It is important to take steps to prevent an attacker from establishing a foothold in a network and gaining further access (lateral movement) as well as protecting system boundaries.
- Controlling code execution - consider preventing unauthorised code delivered to end user devices from running. One common way that attackers gain code execution on target devices is to trick users into running macros. You can prevent these attacks from being successful in your organisation by preventing all macros from executing - unless you have explicitly trusted them. It's also good practice to ensure users do not have privileges to install software on their devices without the authorisation of an administrator. Remember that users may sometimes legitimately need to run code that you have not pre-authorised; consider how you will enable them to do this, so that they are not tempted to do it secretly, in ways you can't see or risk-manage. See our End User Device security guidance for recommended configuration of the platforms you are running.
- Filter web browsing traffic - we recommend using a security appliance or service to proxy your outgoing web browsing traffic. Filter attempted connections based on categorisation or reputation of the sites which your users are attempting to visit.
- Control removable media access - see our advice on management of removable media to prevent ransomware from being brought in to an organisation via this channel.
For more information see Approaching enterprise technology with cyber security in mind.
What impact does ransomware have?
Ransomware will prevent access to systems or data until a solution is found. If systems are delivering critical services, this can have serious reputational, financial and safety impacts on affected organisations and their customers. Even if the victim has a recent backup of their system, it may still take considerable time to restore normal operations. During this time, organisations may have to invoke their Business Continuity processes.
It is worth noting that if a criminal organisation has carried out a successful ransomware attack, questions should be raised about the possibility of more indirect and lasting impacts. For example, how many instances of the ransomware are still present in the system waiting to be activated? How should they be removed, and how should users be warned? Were other types of malware also deployed at the same time? What are they and what will they do? And when?
Limiting the impact of a ransomware attack
The following measures can all help to limit the impact of a ransomware attack.
- Good access control is important. The compartmentalisation of user privileges can limit the extent of the encryption to just the data owned by the affected user. Understand the risks brought in by the system administration model that your IT architecture uses. Re-evaluate permissions on shared network drives regularly to prevent the spreading of ransomware to mapped and unmapped drives. System administrators with high levels of access should avoid using their admin accounts for email and web browsing.
- Ransomware doesn’t have to go viral in your organisation; limit access to your data and file systems to those with a business need to use them. This is good practice anyway and, like many of the recommendations we make here, prevents against a range of cyber attacks.
- Have a backup of your data. Organisations should ensure that they have fully tested backup solutions in place. Backup files should not be accessible by machines which are at risk of ingesting ransomware. It is important to remember backups should not be the only protection you have against ransomware - the adoption of good security practices will mean not getting ransomware in the first place. For further guidance on backups, please see our Securing Bulk Data guidance, which discusses the importance of knowing what data is most important to you, and how to back it up reliably.
What to do if your organisation has been infected with ransomware
If you need to know more about ransomware and its effects, or you have a ransomware issue, there are a number of sources of further advice and guidance:
- The National Crime Agency encourages anyone who thinks they may have been subject to online fraud to contact Action Fraud at www.actionfraud.police.uk. It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay.
- The National Cyber Security Centre (NCSC) runs a commercial scheme called Cyber Incident Response, where certified companies provide crisis support to affected organisations.
- The Cyber Security Information Sharing Partnership (CiSP) offers organisations in the UK a safe portal in which to discuss and share intelligence that can assist the community and raise the UK's cyber resilience. We encourage our members to share technical information and indicators of compromise so that the effects of new malware, and particularly ransomware, can be largely reduced.
Here at the NCSC, we welcome those who would like to share their experiences of ransomware in confidence. NCSC Operations provide threat intelligence to government, industry and the public. Case studies - even anonymised - can be very helpful.