The persistent menace of ransomware and four steps to defend against it
Continuing our series of articles from the City of London Police on fraud and cyber crime, here the focus is Ransomware, covering the scale of the threat and what you can do to protect against this crime.
Malware is malicious software which, if able to run, can cause harm to your computer.
Ransomware is a type of malware that prevents a user from accessing their computer or the data that is stored on it. The computer itself may become locked, or the data on it might be stolen, deleted or encrypted.
Usually you’re asked to contact the attacker via an anonymous email address or follow instructions on an anonymous web page, to make payment. The payment is invariably demanded in a cryptocurrency such as Bitcoin, in order to unlock your computer, or access your data. However, even if you pay the ransom, there is no guarantee that you will get access to your computer, or your files.
The scale of the threat
Ransomware continues to be a successful cyber attack and although the extent of the harm is underreported by most victims, ransomware remains hugely profitable for individuals and group offenders and equally disruptive for victims.
The latest annual assessment from Action Fraud (2021/22) showed ransomware as the most impactful malware reported. In the first quarter of 2023, Action Fraud received 97 reports relating to ransomware. Each month new ransomware variants are being identified, which shows that cyber criminals are exploring new toolkits and methods to commit offences.
It is not just large organisations that are targeted; small and medium-sized organisations frequently report incidents of ransomware attacks.
How to protect your business from ransomware and its effects
Read the NCSC’s guidance for the full information and guidance on mitigating malware and ransomware attacks.
Step 1: Make regular backups
Up-to-date backups are the most effective way of recovering from a ransomware attack.
Make regular backups of your most important files. Ensure you create offline backups that are kept separate, in a different location (ideally offsite) from your network and systems, or in a cloud service designed for this purpose.
Step 2: Prevent malware from being delivered and spreading to devices
You can reduce the likelihood of malicious content reaching your devices through a combination of:
- filtering to only allow file types you would expect to receive
- blocking websites that are known to be malicious
- actively inspecting content
- using signatures to block known malicious code
Step 3: Prevent malware from running on devices
A ‘defence in depth’ approach assumes that malware will reach your devices. You should therefore take steps to prevent malware from running. The measures required will vary for each device type, OS and version, but in general you should look to use device-level security features.
Step 4: Prepare for an incident
Malware attacks, in particular ransomware attacks, can be devastating for organisations because computer systems are no longer available to use, and in some cases, data may never be recovered. If recovery is possible, it can take several weeks, but your corporate reputation and brand value could take a lot longer to recover.
Areas to consider could include:
- identify your critical assets and determine the impact to these if they were affected
- develop an internal and external communication strategy
- ensure that incident management playbooks and supporting resources such as checklists and contact details are available if you do not have access to your computer systems
- exercise your incident management plans
- identify your legal obligations regarding the reporting of incidents to regulators, and understand how to approach this
Reporting fraud and cyber crime
If you believe you may have been a victim of ransomware, you should report it to Action Fraud at www.actionfraud.police.uk or by calling 0300 123 2040.
If you are a business, charity or other organisation which is currently suffering a live cyber attack (in progress), please call 0300 123 2040 immediately. Specialist advisors are available 24 hours a day, 7 days a week.
For signposting to which other organisations require you to report, please visit https://signpost-cyber-incident.service.gov.uk/
Should you pay the ransom?
Law enforcement does not encourage, endorse, or condone the payment of ransom demands. If you do pay the ransom:
- there is no guarantee that you will get access to your data or computer
- your computer will still be infected
- you will be paying criminal groups
- you’re more likely to be targeted in the future
Attackers will also threaten to publish data if payment is not made. To counter this, organisations should take measures to minimise the impact of data exfiltration.