If you are concerned about ransomware and malware generally, this article will give you some actionable steps to help you prevent a malware infection and also steps to take if you’ve already become infected. If you think you have already been infected with malware, please refer to the steps at the bottom of the article.
Taking the right steps will decrease the likelihood of becoming infected, slow down the spread of malware throughout your organisation and reduce the potential impact of the infection.
Malware and ransomware?
Malware is any kind of malicious software, which if allowed to run can cause harm to your systems and data. For example:
- Causing a device to become locked or unusable
- Stealing, deleting, or encrypting data
- Taking control of your devices to attack other organisations
- Using your processing power to ‘mine’ cryptocurrency
- Using services that may cost you money e.g. network bandwidth or electrical power
Ransomware is a particular subset of malware that prevents you from accessing your computer or the files and data stored on it. The computer itself may become locked, or the data on it might be stolen, deleted or encrypted. Some ransomware can also attempt to spread to other computers on your network. A malware variant that became well known in mainstream media was Wannacry, which extensively impacted the NHS in May 2017. There are many other, less well known varieties.
A typical mode of operation is for the malware to ‘ask’ you to contact the attacker via an anonymous email address and follow instructions on a web link, to make payment. The payment is usually requested in a cryptocurrency such as Bitcoin, in exchange for a promise to unlock your computer, or data. There is, however, no guarantee that you will get access to your computer, or your files. You are dealing with criminals, after all.
Sometimes malware purports to be ransomware, but after the ransom is paid the files are not decrypted. This is known as wiper malware. For this reasons, it’s essential that you always have a recent offline backup of your most important files and data.
To pay or not to pay?
In most countries, law enforcement does not encourage, endorse the payment of ransom demands. If you do pay the ransom:
- There is no guarantee that you will be given access to your data or computer
- Your computer will still be infected
- You will be paying criminal groups
- You are more likely to be targeted in the future
Sometimes attackers will threaten to publish data, if payment is not made. To combat this, organisations should take measures to minimise the impact of data exfiltration. The NCSC’s guidance on Protecting bulk personal data and the Logging and protective monitoring guidance can help with this.
Employ a defence in depth strategy
There’s no way to completely protect your organisation against malware infection, so you should adopt a ‘defence-in-depth’ approach to reduce the chances as much as possible. This means using layers of technical and procedural defences with several mitigations at each layer. This will give you more opportunities to detect malware, and then stop it before it causes real harm to your organisation.
Always assume that some malware will infiltrate your organisation, so you can take steps to limit the impact this would cause, and speed up your response.
There are some actions steps you can take to help prepare your organisation for potential malware and ransomware attacks.
- Take regular backups
- Prevent malware from being delivered and spreading to devices
- Prevent malware from running on devices
- Prepare to respond to an incident
Steps to take if your organisation is already infected
- If you have already been infected with malware, the following steps may help limit the impact:
- Immediately disconnect the infected computers, laptops or tablets from the network.
- In a serious case, consider turning off your Wi-Fi, disabling any core network connections and disconnecting from the internet.
- Reset credentials including passwords (especially for administrator)
- Safely wipe the infected devices and reinstall the OS.
- Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device you’re connecting it to are clean.
- Download software on a ‘clean’ connection and install and update the OS and all other software.
- Install, update, and run antivirus software.
- Reconnect to your network.
- Monitor network traffic and run antivirus scans to identify if any infection remains.
- Files encrypted by most ransomware typically cannot be decrypted by anyone other than the attacker. However, the No More Ransom Project provides a collection of decryption tools and other resources from the main anti-malware vendors, which may help.