Ransomware – what can public bodies do about it?

Written by Des Ward on 5 February 2016 in Opinion
Opinion

In the wake of last week’s ransomware attack on Lincolnshire County Council, Des Ward looks how public bodies should respond.

The reports of a cyber attack against Lincolnshire County Council over the past week have highlighted a technique used to encrypt data on a computer and then demand payment to unlock it again.  This isn’t the first high-profile use of this technique within the public sector; MP Chi Onwurah had her parliamentary account affected in late 2015.

The impact of these attacks are often discounted and the value demanded often determines the seriousness; but, with 300 systems affected in Lincolnshire County Council and their frontline services having to resort to paper, the impact can be far beyond the money demanded.

Unfortunately, it is becoming increasingly common for criminals to use this technique, commonly called ‘ransomware’.  So, what can you do to prevent your organisation becoming the next extortion victim?

The rise of ransomware

Ransomware has been a technique by criminals since 2006, but it has gained popularity through the existence of software that automates the process to the extent that very little skill is required to execute the attack at all. 

Ransomware is often deployed using malware that exploits a weakness in the application or operating system software on a device to install, run and encrypt the files.

Mitigating against ransomware

It would, therefore, be logical to assume that a good anti-malware solution can be used to detect these attacks and prevent against them; but as the Lincolnshire Country Council example shows, their protection software didn’t pick it up.  This is likely to have been because malware is fighting a constant battle to bypass the signatures within the anti-virus software installed within organisations.  So what can you do about this to reduce both the likelihood and impact of this happening?

Deploy patches

Make sure that you deploy patches and updates to software regularly, including application software. A good starting point is to subscribe to alerts and notifications from the vendors, although if you have a link to an advisory organisation (such as a WARP within the public sector) then this can be useful to understand when weaknesses are being exploited. 

There is good guidance within the Public Services Network Code of Connection (PSN CoCo).  Also, it is recommended that you agree timescales for application of patches with any suppliers you have.

Disable functionality that isn’t required

Some malware installs itself using features within applications (e.g. macros and Visual Basic) that you don’t require, at least for most users.  Always ensure that software is configured in a manner that disables features that you don’t need.

It is also useful to set your email software to view plain-text by default as this highlights a lot of the spam emails (through the areas discussed below).

It’s also recommended to ensure that administrator accounts aren’t used for daily tasks, use normal user accounts instead and run another account for special tasks (this can prevent malware being installed in some cases).

Keep anti-malware updated

Of course, you should be looking to ensure that anti-malware software is kept updated, with attacks changing every day I’d always recommend looking to deploy signatures every 24 hours.  That said, you need software that doesn’t just rely on signatures (i.e. matches against known attacks) but looks at what’s happening as well (also called heuristics). This approach will provide more effective protection. 

You should also note that anti-malware will not provide long-term protection against unpatched weaknesses due to the nature of the changing techniques being used.

Educate users

Ransomware usually requires someone to do something (i.e. click on a link or attachment), so it’s important to ensure that your users think about the email they have received. 

Typically, there are tell-tale signs such as:

  • the web address being wrong - hover over the link or right-click and view the source to see if the link matches the text in the email;
  • the language used in the email being incorrect, with spelling mistakes;
  • information that you would usually expect in the email being said to be in an attachment;
  • the email coming from someone you haven’t heard of;
  • the email demanding that something happens urgently.

More guidance is available on Get Safe Online.

Have a good business continuity strategy

It’s tempting to treat this as a solely technical issue, yet it is easier to ensure that you have a sound, tested business continuity plan that caters for your business when you don’t have access to systems or data. 

This plan should identify how much data you can lose access to before it presents an issue to the business processes, which should ensure that you backup information that is critical to maintaining your operations.

Testing this plan is crucial to ensure that you can get it back when required to maintain delivery of services, which is a legal obligation under the Civil Contingencies Act 2004 for both the public sector and its suppliers.

Des Ward is director and Information Governance specialist at public sector supplier body Innopsis

Share this page

Tags

Comments

Martin Pill Sen... (not verified)

Submitted on 7 March, 2016 - 17:05
Following the CESG configuration guidance for laptops and desktops would prevent the majority of malware getting a foothold. For organisations needing advice, CESG have just launched the Certified Cyber Security Consultancy scheme, which lists firms who have been assessed by CESG and judged to be competent to provide expert, tailored advice.

Stephen Barnett (not verified)

Submitted on 15 May, 2017 - 09:51
Email remains the main vector in the majority of attacks. The NCSC is promoting the use of DMARC in the public sector to tackle email spoofing and hence prevent the malicious emails reaching users' mailboxes. They are also building a DNS service for public sector that will stop users from accessing domains known to be harmful. These initiatives reduce the reliance on users knowing which links / attachments are safe to click on. Network architecture is another layer of defence. A flat network makes it easy for a worm like WannaCry to spread like wildfire fire once it is inside your organisation. Consider segmenting your network to build in some further protection.

Add new comment

Related Articles