Ransomware 101

Ransomware 101: Three ways to protect your business

May 20th, 2021 Posted in Data Protection, Information Security

Ransomware is a form of malicious software (“malware”) used by cyber criminals. Once in a system, the malware encrypts files, and effectively holds them hostage, until a ransom is paid. In some cases, attackers even take copies of your data and threaten to release it onto the internet as an extra incentive to pay up. For victims – particularly businesses – ransomware can be paralysing: blocking day-to-day operations, bringing productivity to a standstill and costing a lot of money if the ransom is paid.

Organisations of all sizes and sectors have fallen victim to ransomware. The most infamous example is the NHS WannaCry attack of 2017, which exploited an unpatched vulnerability in the Microsoft Windows 7 operating system. The attack impacted hospitals and GP surgeries across the nation, putting vital patient care at risk. Most recently, the Colonial Pipeline (May 2021), which acts as the central gasoline/petrol delivery artery for the East Coast of America, was brought to a standstill by ransomware and led to Colonial paying a $4.4m ransom.

While these examples can be frightening to think of in the context of your own business, every successful attack is a learning opportunity. Where other businesses’ vulnerabilities have led to an attack, you can ensure these same weaknesses are mitigated.

These incidents also serve as a significant reminder of the benefits of proactive protection. In today’s digital world, customers and suppliers are demanding trust, and excellent cyber security can be a positive competitive differentiator.

By fostering cyber resilience, businesses can safeguard their assets and their reputation, while in turn building credibility among their partners and clients. Here’s our overview of how to protect your company in 3 steps.

  1. Neutralise the worst-case scenario

First, we advise you to build up a state of preparedness, so you know how to deal with a ransomware attack if it strikes. The basis of this is an incident response strategy, which should include:

  • Preparation and planning: Whatever the size of your organisation, an incident response plan to refer to during a ransomware incident is essential. The plan should set out roles and responsibilities, detail who is in your incident response team (“IRT”) and layout authority level requirements for invoking the plan and mobilising the IRT.
  • Detection and analysis: The starting point in responding to any ransomware attack is detecting it in the first place. Ideally, you will have tools available to help automate this process, including anti-malware, Intrusion Detection Systems/Intrusion Protection Systems (“IDS/IPS”), Security Information and Event Management (“SIEM”) or even an in-house or managed Security Operations Centre (“SOC”) service.
  • Containment, eradication & recovery: Once an attack is identified, the first step is to contain the breach: disconnect affected systems from the network, segregate sections of the network, disable compromised user accounts and advise users not to connect or use specific systems. When the incident is under control, you have reached the point at which you can reconnect or recover systems.

For a more detailed look at these steps, read our Incidence Response guide here.

  1. Prevent an infection

Second, make sure your systems are secure enough to deter a would-be-attacker. There are plenty of guides out there to help with this. If you’re a small or medium-sized enterprise (“SME”) we suggest you start with the NCSC’s flagship standard of Cyber Essentials, which recommends five simple actions to protect your organisation:

  • Use a firewall to secure your internet connection
  • Choose the most secure settings for your devices and software
  • Control who has access to your data and services
  • Protect yourself from viruses and other malware
  • Keep your devices and software up to date

You can assess your readiness for Cyber Essentials by completing a free self-evaluation. A step further is to achieve Cyber Essentials or, even better, Cyber Essentials Plus, which requires a qualified, independent assessor to validate that these five steps are in place. This includes overseeing vulnerability scans, checking third-party access, and ensuring your software is up to date.

Saying this, it’s worth noting these standards will not suit every type of business. For larger companies with an international presence, the requirements of Cyber Essentials Plus may cause more disruption than benefits. For example, the Cyber Essentials mandates that software must be patched within 14 days of an update being released (if the update covers any ‘critical’ or ‘high risk’ issues). While this is feasible for most SMEs, it may not be possible for larger companies, who may need to patch during fixed maintenance windows when systems can be brought offline.

In these instances, other excellent options are either ISO27001 or the NIST Cyber Security Framework. ISO27001 is the international standard for an information security management system (“ISMS”). This standard takes a risk-led approach, looking at information security risks across the business, including physical security risks, HR security risks, and supplier security risks, as well as IT. A certified ISMS not only indicates you take the management of security seriously but helps to improve your ability to endure and respond to attacks like ransomware.

Many organisations use NIST as it does not have a certification process. Instead, it offers a well-designed framework to assist in establishing a cyber security maturity posture over the five business-critical functions of Identify, Protect, Detect, Respond and Recover.

Standards such as Cyber Essentials, ISO27001 and NIST should build customer confidence and enable your organisation to be cyber resilient in today’s challenging world.

  1. Remember hidden risks

Lastly, it’s important to remember ransomware spreads just like an infection. This means that it can start in one organisation and crawl into the networks and applications of any company it is connected to. It’s therefore vital to think about your suppliers – not just those you buy goods and services from, but those who specifically have access to your IT network.

We advise you carefully consider who can access your data and create a ‘walled garden’ inside your network to keep their work away from yours. As a starting point, we recommend the UK’s National Cyber Security Centre (NCSC) 12 principles, which were created to help companies enable effective control of the supply chain.

The race is on to defeat ransomware

It’s encouraging to note businesses are not alone in the mission to overcome ransomware. Just this month, the Ransomware Task Force released a new report, calling for a coordinated, international, diplomatic and law enforcement-driven effort for beating the ransomware threat.

The Task Force is made up of a group of more than 60 experts, gathered from software companies, cyber security vendors, government agencies, non-profits and academic institutions. Together, they have developed a comprehensive framework for tackling ransomware.

In particular, the strategy calls on national governments to lead the charge and suggests the US should spearhead efforts. In line with this, the US established a Ransomware and Digital Extortion Task Force.

While the report puts the onus on governments to tackle the threat, your organisation can take concrete steps to protect itself. In doing so, you will not only reduce the likelihood of a ransomware attack but strengthen your organisation’s entire cyber security posture. This resilience is a competitive advantage – one that enables trust in your supplier network and symbolizes a commitment to customers.

Need help?

If you need help or advice on how to manage your business’ cyber security, we’re here to help. We can advise on your security vulnerabilities, select the right security technology and check your systems are configures correctly. We can also put policies in place and run staff training exercises. Contact us for a friendly chat.

Marcus Chambers 250 x 250

Written by Marcus Chambers

Marcus is a senior security consultant specialising in cyber security; including strategy, security transformation, risk management, incident response and supply chain assurance. His career started in the British Army where he delivered multifaceted operational solutions often in austere settings. Since leaving the military, Marcus has worked in senior security consulting roles, across numerous sectors. He has three Masters degrees including an MSc in Information Security from Royal Holloway, University of London; he holds ISACA's CISM and CGEIT certifications; is a Chartered Engineer and a graduate of the British Military's esteemed Advanced Command and Staff Course.