At SWGfL we’ve noticed that a number of schools have fallen victim to ransomware attacks. Recently in fact, a college in Scotland was forced to close because of a Trickbot attack.
To help, the National Cyber security Centre has updated its guidance on how to mitigate malware and ransomware attacks and produced this ‘Trickbot’ advisory for organisations on how to protect their networks from the banking Trojan.
What is Malware?
Malware is malicious software, which - if able to run - can cause harm in a number of ways. It can render devices unusable, take control of them, steal your data, access your organisation's systems and more.
What is Ransomware?
Ransomware is a kind of malware, that interferes with data on your device (or your device itself). It holds your device or files for "ransom" and will demand that you pay money to get access to your device or files.
There are different types of ransomware which behave in slightly different ways, including:
- Encrypting your files or even your whole hard disk
- Locking your device so you can't use it
- Threatening to publish your information
- They target any users, whether it’s at home, work or school. There is no guarantee that paying the ransom or doing what the ransomware tells you will give access to your device or files ever again.
Types of Ransomware
There are hundreds of different variants of ransomware in existence today, but there are two main types – 'encrypting' ransomware and 'locking' ransomware.
Encrypting ransomware, as the name suggests, prevents you from accessing your files by encrypting them. Locking ransomware prevents you from using your device by disabling most features and displaying messages. Both will say you have to pay a “ransom” to get access to your device or files again.
What’s the point of Ransomware?
The distribution of ransomware is a criminal activity with the main intention being to get you to pay money (though in some cases it seems mass disruption is also an objective).
How does Ransomware infect your device?
Ransomware can get on your device from nearly any source that any other malware (including viruses) can come from. This includes:
- Visiting unsafe, suspicious, or fake websites
- Opening emails and email attachments from people you don’t know, or that you weren’t expecting
- Clicking on malicious or bad links in emails, Facebook, Twitter and IM chats like Skype
Reduce the risk of a Ransomware attack
Back up your data, regularly.
If you can restore access to your data easily and quickly, the impact of a ransomware attack is going to be less disruptive. Some types of ransomware will encrypt files on other 'connected' drives, so it’s important to ensure at least one backup is to a separate, 'offline' location. You could use an external drive and disconnect it after the backup is complete, or an off-site backup service.
Keep software up to date, reducing vulnerabilities.
Some ransomware will rely on security vulnerabilities in popular software applications, including Microsoft Windows, Microsoft Office, your browser, Flash etc. so it’s important to keep your up to date with the latest version.
Prevent malware from being delivered to devices
Reduce the likelihood of malicious content reaching your network by only allowing file types you would expect to receive, blocking websites that are known to be malicious, actively inspecting content and using signatures to block known malicious code. These are usually done by network services.
Anti-malware is vital, keep yours up to date.
SWGfL recommends Sophos Endpoint Protection and Intercept X and what’s more we’re able to offer schools top-notch protection for massively reduced prices, for 36 months cover. Click here to find out more.
Keep all your passwords sufficiently complex
If you connect to school from home you might be using RDP (Remote Desktop Protocol). Some types of malware specifically target machines using RDP. As a user, the best way to defend yourself is to ensure that your password is sufficiently strong, and it's worth discussing whether the RDP has been 'secured' in any way, or even if an SSL VPN would be better.
Only use admin rights when you absolutely have to
Don’t give yourself more permission than you need. Don’t stay logged in as an 'administrator' any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
Emails...if in doubt, don't open it!
Don’t open emails and email attachments that look odd, or are from people you don’t know, or that you weren’t expecting. We explored this in a lot more detail in the Phishing article.
Steps to take if your organisation is already infected
If your organisation has been infected with malware, these steps may help limit the impact of the infection. You should also refer to the NCSC's Cyber Incident Response scheme.
- Disconnect your network connections - whether wired, wireless or mobile phone based, disconnect all infected devices.
- Consider turning off your Wi-Fi - disabling any core network connections (including switches) might be necessary in serious cases.
- Reset credentials including passwords (especially for administrators) - but verify that you are not locking yourself out of systems that are needed for recovery.
- Safely wipe the infected devices and reinstall the operating system.
- Before you restore from a backup, verify that it is free from malware and ransomware. You should only restore from a backup if you are very confident that the backup is clean.
- Connect devices to a clean network in order to download, install and update the operating system and all other software.
- Install, update, and run antivirus software.
- Reconnect to your network.
- Monitor network traffic and run antivirus scans to identify any infection remains.
Note: Files encrypted by most ransomware have no way of being decrypted by anyone other than the attacker. Don't waste your time or money on services that promise to do it. In some cases, security professionals have produced tools that can decrypt files due to weaknesses in the malware (which may be able to recover some data), but you should take precautions before running unknown tools on your devices.