Subscribe to LSNN Daily News


Enter your email address:



2022-03-12 14:31:54
Saturday 14:44:44
March 12 2022

QUICK GUIDE: Reducing Malware and Ransomware Attacks NCSC recommendations

Organizations should follow the advice of the NCSC and take action to improve their resilience as the cyber threat increases

View 11.6K

words 1.6K read in 7 minutes, 53 Seconds

In times like these when your data is perpetually at risk, it is necessary to pay more attention to IT security in a preventive manner. It is possible that infected emails or suspected scams have arrived that require payment in order to get your identity back.

This mini guide helps public and private sector organizations manage the effects of malware (which includes ransomware1. It provides actions to help organizations prevent malware2 infection and also steps to take if you are already infected.

In this brief summary, quick tips have also been included for families and individuals .

Following this guidance will reduce:

  • the likelihood of becoming infected
  • the spread of malware throughout your organisation
  • the impact of the infection

If you have already been infected with #malware , please refer to our list of urgent measures to take, outlined in nine essential points " Steps to take if your organization is already infected "

For advice on how to minimize potential harm, smaller organizations should refer to the NCSC's National Cyber ​​Security Center Small Business Guide.

For information on securing your devices at home, read the guide summary written specifically for individuals and families from #NCSC

Actions to be taken

There are some actions you can take to help prepare your organization for potential malware and ransomware attacks.

  1. Action 1: Perform regular backups
  2. Updated backups are the most effective way to recover from a ransomware attack, you should do the following.
  3. Make regular backups of your most important files - it will be different for every organization - make sure you know how to restore files from backup and regularly check that it works as expected.
  4. Make sure to create offline backups kept separate, in a different location (ideally offsite), from your network and systems or in a cloud service designed for this purpose, as ransomware actively targets backups to increase the likelihood of payment . Our "Offline Backup in an Online World" blog provides helpful additional tips for organizations.
  5. Create multiple copies of files using different backup solutions and storage locations. You shouldn't rely on having two copies on a single removable drive, nor should you rely on multiple copies in a single cloud service.
  6. Make sure that the devices containing the backup (such as external hard drives and USB sticks) are not permanently connected to the network. Attackers will target connected backup devices and solutions to make recovery more difficult.
  7. You should make sure that your cloud service protects previous backup versions from immediate deletion and allows you to restore them. This will prevent real-time and backup data from becoming inaccessible - cloud services often automatically synchronize immediately after files are replaced with encrypted copies.
  8. Make sure your backups are connected only to known clean devices before starting the restore.
  9. Scan backups for malware before restoring files. The ransomware may have infiltrated the network for a period of time and replicated in backups before being discovered.
  10. It regularly fixes the products used for backup so that attackers cannot exploit known vulnerabilities they may contain.

There have been instances where attackers destroyed copied files or aborted recovery processes before conducting ransomware attacks. Ideally, backup accounts and solutions should be protected by using Privileged Access Workstations (PAW) and hardware firewalls to enforce the list of allowed IP addresses. Multi-factor authentication (MFA) must be enabled and the MFA method must not be installed on the same device used for administering backups. Privileged Access Management (PAM) solutions eliminate the need for administrators to directly access high-value backup systems.

Action 2: Prevent malware from being distributed and spread to devices

You can reduce the likelihood of malicious content reaching your devices through a combination of:

  • filtering to allow only the file types you would expect to receive
  • block websites that are known to be malicious
  • actively inspect the contents
  • using signatures to block known malicious code

These are typically performed by network services rather than by users' devices. Examples included:

  1. mail filter (in combination with spam filter) which can block malicious emails and remove executable attachments. The Mail Check platform watch NCSC video can also help eligible organizations with this. Check your organization's eligibility for Mail Check.
  2. interception proxies, which block known malicious websites
  3. Internet security gateways, which can inspect the contents of certain protocols (including some encrypted protocols) for known malware
  4. safe browsing lists within web browsers that can prevent you from accessing sites known to host malicious content

0:36 / 1:36 Mail Check

Eligible organizations are encouraged to sign up for the NCSC's Secure Domain Name Service. This will prevent users from reaching known malicious sites. Check your organization's eligibility for PDNS .

Ransomware is increasingly distributed by attackers who have gained remote access via exposed services such as Remote Desktop Protocol (RDP) or unpatched remote access devices. To prevent this, organizations should:

disable RDP if not necessary (if you are unsure about running RDP, we recommend that you sign up with NCSC's Early Warning service)

enable multi-factor authentication on all remote access points in the network and enforce the IP authorization list using hardware firewalls

use a VPN that meets NCSC recommendations, for remote access to services; Software as a Service or other services exposed to the Internet should use Single Sign-On (SSO) where access policies can be defined (for more information read our blog post on securing management interfaces)

use the least-privilege model to provide remote access - use low-privilege accounts for authentication and provide a controlled process to allow a user to increase their privileges within the remote session as needed

immediately fix known vulnerabilities in all remote access devices and facing the outside (refer to our guide on how to manage vulnerabilities within the organization if necessary) and follow the vendor's remediation guidelines, including installing new patches as they become available

Steps to take if your organization is already infected

If your organization has already been infected with malware, these steps can help limit the impact:

  1. Immediately disconnect infected computers, laptops or tablets from all network connections, whether wired, wireless or cell phone based.
  2. In a very serious case, consider whether you may need to turn off Wi-Fi, disable any connections to the main network (including switches), and disconnect from the internet.
  3. Reset your credentials including passwords (especially for the administrator and other system accounts), but make sure you don't lock yourself out of the systems needed for recovery.
  4. Safely erase infected devices and reinstall the operating system.
  5. Before restoring from a backup, make sure it is free from malware. You should only restore from a backup if you are very sure that the backup and the device you are connecting it to are clean.
  6. Connect devices to a clean network to download, install and update the operating system and all other software.
  7. Install, update and run antivirus software.
  8. Reconnect to your network.
  9. Monitor network traffic and run virus scans to identify if any infections remain.

The NCSC jointly published a Notice: Technical Approaches to Malicious Activity Discovery and Remediation, which provides more detailed information on remediation processes.

Individuals and families

The NCSC cybersecurity tips to protect you and your family and the technology you rely on.

What is cyber security?

Cyber ​​security is the means by which individuals and organizations reduce the risk of being affected by cybercrime.

The primary function of cybersecurity is to protect the devices we all use (smartphones, laptops, tablets and computers) and the services we access online, whether at home or at work, from theft or damage. It is also about preventing unauthorized access to the large amounts of personal information we store on these devices and online.

Cybersecurity is important because smartphones, computers and the internet are now such a fundamental part of modern life that it's hard to imagine how we would function without them. From banking and online shopping, email and social media, it's more important than ever to take steps that can prevent cybercriminals from gaining possession of our accounts, data and devices.

Cyber ​​awareness and online security

From banking to shopping, streaming to social media, people are spending more time online than ever. Cyber ​​Aware is the UK government's advice on how to stay safe online.

In addition to our six Cyber ​​Aware actions, NCSC has provided additional guidance for those wishing to stay safe online .

Use a strong and separate password for your email

Because it is important to pay special attention to your email password.

Install the latest software and app updates

Timely application of security updates will help protect your devices and accounts from cyber criminals.

Enable two-step verification (2SV)

Turning on 2-Step Verification is one of the most effective ways to protect your online accounts from cybercriminals.

Password Managers - Use browsers and apps to securely store your passwords

Need help remembering all your passwords? Get a password manager or save them on your browser.

Backup your data

How to make sure you can recover photos, documents and other important personal data stored on your IT equipment.

Three random words

Combine three random words to create a password that is "long enough and strong enough".

1) #Ransomware . Type of software - A ransomware is a type of malware that restricts access to the device it infects, requiring a ransom to be paid to remove the restriction.

2) #Malware , in computer security, indicates any computer program used to disturb the operations carried out by a user of a computer. Term coined in 1990 by Yisrael Radai, previously it was called computer virus; in Italian it is also commonly called malicious code .

Source by Redazione

Articles Similar / QUICK GU...endations