Viewing entries in
ransomware

Comment

NCSC Guidance Notice - Increased Cyber Threats: Security steps to take

Measures to protect and prepare your systems in the face of heightened cyber security threats 

This guidance outlines the security steps that your organisation should take in response to an increased threat of cyber attack. It’s aimed primarily at larger organisations, but the advice here is relevant to anyone who feels their systems may be targeted by cyber attack.

So, whether you hold customer data, maintain an online service or simply rely on digital services to keep your business running, these steps will help you to avoid the consequences of a successful cyber attack. And if the worse comes to the worst, they’ll help you determine what went wrong and recover quickly.

The advice we give here selects some priority measures from the comprehensive collection of cyber security advice on our website.


Increased cyber threats

How will you know if you are at an increased risk of cyber attack? There are many sources of information on this subject, including the mainstream media. There are a number of commercial, and industry specific information-sharing resources as well as the CiSP platform detailed below.
 

Steps to take now:

If you are concerned about the possibility of your organisation coming under cyber attack, the NCSC recommends three actions that you should undertake immediately:

1. Your organisation should undertake a readiness review and identify:

  • all available sources of logging
  • where those logs are stored
  • how long those logs are retained
  • who has access to them
  • that logging events are currently being generated

2. You should review your Denial of Service protection for key platforms, including websites and any digital services you offer.

3. Your organisation should sign up to the Cyber Information Sharing Partnership (CiSP), giving you access to valuable threat information, from your peers and official sources, all in a secure environment. The registration process isn’t instant, so start the sign-up process now.

These measures will help in the detection of cyber attacks and give you some front line protection against Denial of Service (DoS) attacks.
 

Steps to take in the coming weeks:

1. Improve Defences

The NCSC’s 10 Steps to Cyber Security gives you a comprehensive overview of the areas you need to consider when looking to improve the defensive posture of your organisation’s IT. A few notable areas for consideration are:

  • Your organisation should review its asset and vulnerability management processes and ensure they are in line with the NCSC advice. Where a service is found to be vulnerable and/or not required for business purposes, consider disabling it.
  • Administrators should use ‘normal’ accounts for standard business use. Highly privileged administrative accounts should not be used for high risk, or day to day user activities such as web browsing and email.
  • Create and maintain a whitelist of authorised applications that can be executed. Systems should be capable of preventing the execution of unauthorised software by employing process execution controls. The NCSC has published advice on how to do this on End User Devices.
     

2. Improve detection capability

Your organisation should securely store and have ready access to logs. We recommend storing key identifying information for three months. It helps to store logs for longer if you can, as this gives you a greater capacity for analysing attacks which may have gone undetected for some time. The logs that should be stored will vary according to the details of your IT estate.

It is important to log events, even if you have no proactive capability to examine them.

If there is a suspected incident the logs will:

  • make it easier to prove an attack has taken place
  • provide detail of how an attacker got into your system and what they were able to access (this information will make remediation more effective)
  • allow the NCSC to release Indicators of Compromise (IOCs) such as malicious IP addresses or email addresses. These can be used by other organisations to identify whether they have also been targeted
     

3. Improve response capability

Review your backup policy and ensure a systematic approach is implemented. The ability to recover your system from archived data should be tested.

Full packet capture is regularly requested as part of Incident Response. Consider how you would go about performing this on your organisation’s internet connection(s) and take action now to facilitate future packet capture. Identifying how to do this after a breach will delay effective response.

The NCSC is regularly notified of malicious activity observed ‘in the wild’ and operates a service to inform registered network owners. To enable this service, you need to contact incidents@ncsc.gov.uk who will supply you with a form to complete with your organisation’s details. 

Make sure your staff are familiar with your organisation’s incident management plan and, if necessary, ensure that arrangements are in place to bring in additional technical expertise. The NCSC has a list of certified Cyber Incident Response companies.


If an incident occurs

Please report incidents to the NCSC 24/7 Incident Management team if the following applies:

  • Significant loss of data, system availability, or control of systems
  • Unauthorised access to or malicious software present on IT systems.


Business as usual

Though the measures outlined above are essential first steps towards healthy cyber security for your organisation, they may entail some effort to put in place, and even some disruption to your usual operations. You should take this into account when putting them into action.

You should also ensure that you continue with any planned upgrades, patching regimes and security enhancements in line with the NCSC’s existing guidance.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 18th May 2018

It’s not just production that needs securing

Most large companies will use an online development environment to build and test code prior to deployment on outward and inward facing networks.

Much of the code found in development environments is sensitive and critical to running and managing a business. The unauthorised disclosure of code could allow cyber actors to identify exploitable weaknesses.

Recent open source reporting has highlighted a compromise of a company’s development environment, resulting in unauthorised access to two million lines of code, application programme interfaces and secret access keys to Amazon Web Services.

A security researcher allegedly gained access to the development environment because both the username and password were set to “admin”, which was most likely the default setting for the environment.

The latest incident follows on from other reported incidents around insecure repositories and third party storage solutions, where users have failed to alter the default settings and/or configure the environments incorrectly and subsequently exposed large volumes of sensitive data.

The failure to secure development environments poses a number of threats to an organisation including:

  • Stealing of sensitive information (such as encryption and access keys, passwords, knowledge of security controls or intellectual property)
  • An attacker embedding malicious code in your project without your knowledge
  • Using a compromised development device as a proxy to further attack your build and deployment pipeline, through to production
  • Understanding how your sensitive applications work - a first step in the planning of an attack

The NCSC has previously issued guidance on securing development environments as well as approaching enterprise technology with cyber security in mind.


GDPR-inspired phishing scams

The imminent arrival of the new EU General Data Protection Regulation (GDPR) has gifted scammers with a new hook for sending phishing emails.

Many internet users are now receiving emails from organisations that they have online dealings with, explaining the new regulations and asking them for permission to carry on storing their information.

Scammers have taken advantage of this to send fake GDPR-themed emails in an attempt to spread malware or steal personal data.

Apple customers, for example, have been sent a link advising users that their accounts had been “limited” due to unusual activity and then asking them to update their security information.

Users are then directed to a fraudulent webpage where they are asked to input security information. Once this has been completed, users are then directed back to a legitimate Apple web page.

The scammers also used Advanced Encryption Standard (AES) protocols when directing users to the page controlled by them, bypassing anti-phishing tools embedded in some antivirus software.

GDPR comes into effect on 25th May 2018, so the scammers have a short window in which to use GDPR as cover for their activities.

The NCSC has published phishing guidance and you can also read the GDPR security outcomesthat have been developed by the NCSC and the Information Commissioners Office (ICO). The ICO is the UK's supervisory authority for the GDPR and has published a lot of helpful guidance on its website.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 5th January 2018

'Meltdown' and 'Spectre' vulnerabilities to microprocessors

Reports of new security flaws affecting microprocessors called ‘Meltdown’ and ‘Spectre’ surfaced this week. Processors in most devices employ a range of techniques to speed up their operation, and the vulnerabilities allow some of these techniques to be abused to obtain information about areas of memory not normally visible to an attacker. As a result, normally difficult actions - such as recovering passwords - are theoretically made easier.

However, an attacker would still need to run code on a device. Access would typically be gained via well-known means, such as phishing attacks or browsing malicious websites. At this stage there has been no evidence of any malicious exploitation and patches are being produced for the major platforms. The NCSC has pro-actively advised that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available, and has recommended that home users enable automatic updates so future security measures are installed.

Further advice for enterprise administrators and home users can be found on this website.
 

Cyber-enabled fraud: an increasing threat for 2018

Media reporting highlights an alleged attempt by hackers to steal funds from Russian bank Globex. The hackers appear to have used legitimate credentials to access the SWIFT international payment system to attempt fraudulent wire transfer requests valued at 55 million roubles (c. £700,000).

This attempted theft highlights that poor end user security is still a problem for some global financial institutions.

Increasingly, cyber thieves are attempting to harvest legitimate login credentials, and then commit fraudulent activity using the accesses that these legitimate credentials provide. Most notoriously, around US $81 million was stolen from Bangladesh Bank in February 2016.

Analysis of the Bangladesh Bank theft indicates that the hackers responsible likely implanted malware into the banks servers to steal legitimate SWIFT credentials, which were then used to conduct the fraudulent transactions.

Most organisations in the UK finance sector will have sufficient cyber security measures in place to protect against the type of fraud which occurred against the Bangladesh and Globex banks, however, globally, this trend of cyber-enabled fraud, which seeks to acquire and then abuse legitimate credentials, is likely to continue throughout 2018, and it is likely to be attempted against UK organisations across all sectors.
 

Cyber attack forces US hospital offline

The Jones Memorial Hospital in the US state of New York was hit by a cyber attack this week impacting some of its information services. The hospital stated that they used standard computer downtime procedures in response, and they believe no patients’ financial or medical information has been compromised.

The exact cause of the incident was not revealed, although similarities can be drawn to previous ransomware attacks against healthcare providers in the US. While all sectors are vulnerable to such attacks, healthcare organisations in the US are more likely to be specifically targeted by cyber criminals because they operate privately, for profit and have a high reliance on access to data. As a result, these organisations also tend to have appropriate response and backup procedures in place, enabling them to limit the operational and financial impact of cyber attacks.

The NCSC has published guidance on how to prevent a ransomware incident and what to do if your organisation is infected.

Comment

.author-name { display: none; }

Comment

NCSC - Statement: 'Bad Rabbit' malware incident

Statement: 'Bad Rabbit' malware incident

An official statement from the National Cyber Security Centre on the recent 'Bad Rabbit' malware cyber incident. 

A spokesperson for the National Cyber Security Centre said:

“We are aware of a cyber incident affecting a number of countries around the world.

“The NCSC has not received any reports that the UK has been affected by this latest malware attack. We are monitoring the situation and working with our partners to better understand the threat.”

Further information

  • The NCSC recommends that organisations and the public follow the guidance on the NCSC website -  install the latest security software patches, back up data and use proper antivirus software services.
  • The NCSC also recommends that passwords are never re-used across important accounts and also setting up Two-Factor Authentication (also called Two-Step Verification) in the security settings.
  • The National Crime Agency (NCA) encourages anyone who thinks they may have been subject to online fraud or cyber crime to contact Action Fraud at www.actionfraud.police.uk. It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay. 

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 19th May 2017

WannaCry ransomware attack illustrates risk of using unlicensed software

The WannaCry international ransomware attack has highlighted the risks of relying on unpatched software. The scale of the outbreak has been blamed in part on the widespread use of unlicensed software. Pirated software is often insecure as it does not benefit from manufacturers’ updates to fix vulnerabilities.

Several of the countries reported by cyber security companies to be worst affected are also amongst the countries where unlicensed software is most widely used.

This incident illustrates that while using unlicensed software might be seen as a way of saving money in the short term, it can put cyber security at serious risk and may potentially lead to losses far outweighing any savings.

The NCSC's guidance on protecting your organisation from ransomware can be found here. Further guidance for home users and small businesses as well as enterprise administrators is also available.

Comment

.author-name { display: none; }

Comment

NCSC Guidance - Protecting your organisation from ransomware

Protecting your organisation from ransomware

Created:  17 Oct 2016

Updated:  17 Oct 2016

How to prevent a ransomware incident, and what to do if your organisation is infected.

Ransomware is a growing global cyber security threat, and one which could affect any organisation that does not have appropriate defences. The first half of 2016 saw an almost threefold increase in ransomware variants compared to the whole of 2015[1].  While ransomware against Windows operating systems has been commonplace for some years, attacks against Mac and Linux systems are also seen.

The methods for infecting systems with ransomware are similar to other types of malicious software, as are the steps organisations can take to protect themselves. Depending on your level of preparation, ransomware infection can cause minor irritation or wide-scale disruption.

This guidance provides an overview of ransomware, suggests some simple steps to prevent a ransomware incident, and advises on what to do if your organisation is infected by ransomware.

What is ransomware?

There are two types of ransomware; the first type encrypts the files on a computer or network. The second type locks a user's screen. Both types require users to make a payment (the 'ransom') to be able to use the computer normally again. The ransom is often demanded in a cryptocurrency such as Bitcoin.

In many cases, the ransom amount is quite modest. This is designed to make paying the ransom the quickest and cheapest way to return to normal use. However, there is no guarantee that the key or password (to 'unlock' the computer) will be provided upon payment of the ransom.

The scale and automated nature of a ransomware attack makes it profitable through economies of scale, rather than through extorting large amounts from targeted victims. In some cases, ransomware has been known to strike the same victim more than once in succession. Ransomware attacks are not normally targeted at specific individuals or systems, so infections can occur in any sector or organisation.

How does ransomware infect your system?

Computers are infected with ransomware via a number of routes. Sometimes users are tricked into running legitimate-looking programs, which contain the ransomware. These may arrive via authentic-looking email attachments or links to apparently genuine websites (otherwise known as phishing). More recently, we have seen ransomware infections which rely on unpatched vulnerabilities in computers, and simply visiting a malicious website can be enough to cause a problem.

Although less common, data transfers between computers (such as via USB memory sticks) can also cause ransomware to spread.

Preventing ransomware using good enterprise security

Ransomware is one of many types of malware, and the methods for its delivery are common to most other types. You can minimise the risk of being infected by ransomware by taking the same precautions necessary to guard against malware in general.

The following mitigations are examples of good security practice, and link to other NCSC guidance where available:

  • Vulnerability management and patching - some ransomware gains control by exploiting software vulnerabilities in operating systems, web browsers, browser plug-ins or applications. Often these vulnerabilities have been publicly known about for some time and the software providers will have made patches available to mitigate them. Deploying these patches, or otherwise mitigating the vulnerabilities, is the most effective way of preventing systems being compromised. However, as well as patching the devices used for web browsing and email, it's important to patch the systems they are connected to, since some ransomware is known to move around systems, encrypting files as it goes.
  • Controlling code execution - consider preventing unauthorised code delivered to end user devices from running.  One common way that attackers gain code execution on target devices is to trick users into running macros. You can prevent these attacks from being successful in your organisation by preventing all macros from executing - unless you have explicitly trusted them. It's also good practice to ensure users do not have privileges to install software on their devices without the authorisation of an administrator. Remember that users may sometimes legitimately need to run code that you have not pre-authorised; consider how you will enable them to do this, so that they are not tempted to do it secretly, in ways you can't see or risk-manage. See our End User Device security guidance for recommended configuration of the platforms you are running.
  • Filter web browsing traffic - we recommend using a security appliance or service to proxy your outgoing web browsing traffic. Filter attempted connections based on categorisation or reputation of the sites which your users are attempting to visit.
  • Control removable media access - see our advice on management of removable media to prevent ransomware from being brought in to an organisation via this channel.

For more information see Approaching enterprise technology with cyber security in mind.

What impact does ransomware have?

Ransomware will prevent access to systems or data until a solution is found. If systems are delivering critical services, this can have serious reputational, financial and safety impacts on affected organisations and their customers. Even if the victim has a recent backup of their system, it may still take considerable time to restore normal operations. During this time, organisations may have to invoke their Business Continuity processes.

It is worth noting that if a criminal organisation has carried out a successful ransomware attack, questions should be raised about the possibility of more indirect and lasting impacts. For example, how many instances of the ransomware are still present in the system waiting to be activated? How should they be removed, and how should users be warned? Were other types of malware also deployed at the same time? What are they and what will they do? And when?

Limiting the impact of a ransomware attack

The following measures can all help to limit the impact of a ransomware attack.

  • Good access control is important. The compartmentalisation of user privileges can limit the extent of the encryption to just the data owned by the affected user.  Re-evaluate permissions on shared network drives regularly to prevent the spreading of ransomware to mapped and unmapped drives. System administrators with high levels of access should avoid using their admin accounts for email and web browsing.
  • Ransomware doesn’t have to go viral in your organisation; limit access to your data and file systems to those with a business need to use them. This is good practice anyway and, like many of the recommendations we make here, prevents against a range of cyber attacks.
  • Have a backup of your data. Organisations should ensure that they have fully tested backup solutions in place. Backup files should not be accessible by machines which are at risk of ingesting ransomware. It is important to remember backups should not be the only protection you have against ransomware - the adoption of good security practices will mean not getting ransomware in the first place. For further guidance on backups, please see our Securing Bulk Data guidance, which discusses the importance of knowing what data is most important to you, and how to back it up reliably.

What to do if your organisation has been infected with ransomware

If you need to know more about ransomware and its effects, or you have a ransomware issue, there are a number of sources of further advice and guidance:

  • The National Crime Agency encourages anyone who thinks they may have been subject to online fraud to contact Action Fraud at www.actionfraud.police.uk.  It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay.
  • The National Cyber Security Centre (NCSC) runs a commercial scheme called Cyber Incident Response, where certified companies provide crisis support to affected organisations.
  • The Cyber Security Information Sharing Partnership (CiSP) offers organisations in the UK a safe portal in which to discuss and share intelligence that can assist the community and raise the UK's cyber resilience. We encourage our members to share technical information and indicators of compromise so that the effects of new malware, and particularly ransomware, can be largely reduced. 

Here at the NCSC, we welcome those who would like to share their experiences of ransomware in confidence. NCSC Operations provide threat intelligence to government, industry and the public. Case studies - even anonymised - can be very helpful.

Comment

.author-name { display: none; }