Recently there have been a number of ransomware attacks targeted towards the legal and financial sectors which have resulted in down time and a loss of capability. Ransomware attacks can be devastating for organisations and not being properly prepared can lead to a significant amount of down time and data loss which could take months to recover from. We anticipate that these attacks will only increase in frequency given the current geopolitical and economic climate.
Chris Wilson, Cyber Protect Officer for East Midlands Special Operations Unit has said:
"Over the last few weeks we have seen an increase in targeted attacks against the legal and financial sectors. These sectors often hold lucrative information and attackers have realised this. If you work in the legal sector, we highly recommend you look at hardening your systems and looking at IT systems to ensure they are not vulnerable.
We urge you to be vigilant over the next few weeks, as the cyber risk is heightened in the run up to the commonwealth games as this makes the UK a likely target."
"We are on standby to help if you have been impacted by an attack, and you can report this to us via Action Fraud or any of the usual channels."
We have more information on ransomware below, and just a few of the things you can do to reduce the risks.
Ransomware is a computer malware (malicious software) that infects your computer and encrypts itself, locking the victim out until they pay a fee to unlock it and regain access, this fee will usually be requested via cryptocurrencies. While the victims are locked out, the criminals may steal the encrypted data and personal information and resell it online or possibly edit the information.
There are many different Serious Organised Crime Groups that use different types of ransomware which are constantly being developed and improved to become harder to overcome without payment and easier to use for criminals.
Cybercriminals will often not commence their attack the second they gain access to your network and can sometimes remain dormant for months at a time monitoring the network traffic and gathering information about the users and the computer systems themselves so that they can launch their attack at the perfect time while also harvesting data that can be sold online.
There are a multitude of ways that Malware can infect the network however there are three common methods that being through Phishing, RDP and PowerShell.
Phishing – These are emails designed to look legitimate but contain malicious links which will send the user to a fraudulent website or cause the Ransomware to download. Remind staff not to click on links in emails and to make their own way to websites via an internet browser and not be guided by links.
You can check if your organisation’s emails are secure and safe by using the NCSC’s Email Security Check Service: https://emailsecuritycheck.service.ncsc.gov.uk/
If you believe you have been sent a phishing email you can forward it to the NCSC’s Suspicious Email Reporting Service by forwarding the email to report@phishing.gov.uk. You can report Phishing emails received via text to your network provider my forwarding it to 7726.
Remote Desktop Protocol (RDP) - RDP and Unpatched Remote Access Devises that use Port 3389 are usually used by network admins to remotely diagnose problems individual users may be encountering and fix or for use in remote working. Recent incidents have been known to exploit multiple vulnerabilities including those ran on VMware ESXi Servers so be sure to regularly update whenever it is available.
The NCSC recommend that you disable RDP if it's not needed and to enable Two Step Verification (otherwise known as Multi Factor Authentication) at all remote access points into the network, and enforce IP allow listing using hardware firewalls. If RDP is necessary for your organisation, then you should consider using a VPN (Virtual Private Network) when using RDP to connect to devices and implement network logging so there is an audit trail of who and where these connections are being made.
Remember to update both your devices Operating System and Software so that an attacker cannot exploit old vulnerabilities that have now been patched.
Powershell – This scripting language and command line tool allows users to automate and remotely execute commands. If not configured correctly PowerShell can be used by cybercriminals to exploit and run ransomware. This is a tool however that is also capable of both reducing and detecting abuse on your network without risking exploitation from cybercriminals as long as it is configured correctly. Ensure your PowerShell is properly configured.
The NCSC and other international partners recently published an article regarding some of the advantages that can come from proper configuration and you can read that here: CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF (defense.gov)
Preventing an attacker from being able to laterally move within your network can be an effective mitigation method as this can make it harder for them to catch you off guard, protect your confidential data and maybe even deter them as the reward for them doesn’t outweigh the risk and time investment. The NCSC Recommend the following:
You should use two step verification so that if credentials are stolen, they cannot be accessed and passwords can be reset if credentials have been leaked.
Disconnect devices with obsolete Operating systems and Apps so that they cannot be accessed or abused by attackers. Make sure that you keep a record of your organisations assets so that you can target security updates quickly
Review permissions regularly and have an effective offboarding process so that users have the correct privileges enabled and only privileges necessary for their job role. Don’t use admin accounts for email or web browsing to prevent risking high value accounts from being compromised
Having a plan for what you should do is crucial even if you believe you are at low risk, your organisations could still be impacted by collateral malware, in which a third party has been infected and this has impacted your organisation. The NCSC recommend taking the following precautions:
Backups: backing up your most important data significantly reduces the amount of leverage the attackers have over you. A great back up model to follow is the 3-2-1 model in which you have three versions of the backup, backups stored in two separate formats e.g. one on an external hard drive and another in the cloud and finally have one of your backups kept off site in a safe and secure location. It’s important to keep these backups updated so the data loss is minimal and keep it disconnected from your network and computers so that it can’t be infected in the event of an attack.
Identify your critical assets and determine the impact to these if they were affected by a malware attack.
Develop an internal and external communication strategy. It is important that the right information reaches the right stakeholders in a timely fashion.
Determine how you will respond to the ransom demand and the threat of your organisation's data being published.
Ensure that incident management playbooks and supporting resources such as checklists and contact details are available if you do not have access to your computer systems.
Identify your legal obligations regarding the reporting of incidents to regulators, and understand how to approach this.
Create an Incident management plan outlining the roles and responsibilities of staff and third parties. Be sure to exercise and practice this plan so that staff members know what to do in the event of an attack. You can learn more about Incident Management here: Incident management - NCSC.GOV.UK
What to do during an incident
The NCSC recommend that you take the following steps if you find yourself in the middle of a ransomware incident:
Immediately disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based.
In a very serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary.
Reset credentials including passwords (especially for administrator and other system accounts) - but verify that you are not locking yourself out of systems that are needed for recovery.
Safely wipe the infected devices and reinstall the OS.
Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device you're connecting it to are clean.
Connect devices to a clean network in order to download, install and update the OS and all other software.
Install, update, and run antivirus software.
Reconnect to your network.
Monitor network traffic and run antivirus scans to identify if any infection remains.
Reporting
Action Fraud
If you find yourself the victim of a ransomware attack you should report it to action fraud. Action Fraud are the main organisation in charge of reporting fraud and cybercrime in the UK. Action fraud then forward the report to the police and other organisations so that they can provide support and assistance. You can complete a report online at the following link: www.actionfraud.police.uk.
If you are currently in the middle of a live cyber attack call 0300 123 2040 which will take you to Action Fraud’s specialist advisors who are available 24/7.
ICO (Information Commissioners Office)
Under the new Data Protection Act 2018 (also known as GDPR) there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it.
“The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem”.
The most common type of incidents you may need to report include: frauds, thefts, significant financial losses, criminal breaches, terrorism or extremism allegations, and safeguarding issues. If a serious incident takes place, you need to report what happened and explain how you are dealing with it, even if you have reported it to the police, donors or another regulator.
You can make reports to the ICO via their website: https://ico.org.uk/