Ransomware is malicious software that prevents users from accessing their system or files, and demands that a ransom be paid in order to regain access. The RYUK ransomware strain has been around for roughly 5 months now, and has been seen affecting South West organisations.
Unlike some ransomware strains, RYUK is used for more targeted attacks. Typically, it functions by encrypting crucial assets and resources, with its infection and distribution carried out manually by criminals. This means that a lot of ground work is done by attackers, such as network mapping/hacking and credential collection.
There have been similarities to the HERMES ransomware strain, which is known to contain code which will identify and delete backup files on a target network.
RYUK is likely to be delivered via Phishing emails with malicious attachments (e.g. invoices/reports), or through insufficiently protected Remote Desktop Protocol (RDP)configurations.
- Back up your data! If you're hit by a ransomware attack, then you can restore from those backups.
- Whether you're backing up to USB storage devices or separate drives, make sure that your backups are not connected to your internal network, or else they'll be at risk of infection as well.
- Store your backups off-site as well as on-site, so that in the event of environmental damage (e.g. fires or floods) you'll still have backups to restore from.
- Cloud storage is a great option which satisfies the above points and is now much more affordable.
- Educate and train staff to defend against Phishing attacks - see the NCSC's guide on this at https://www.ncsc.gov.uk/phishing. This guidance also includes information for IT staff on configuring email filters effectively, which can counter certain types of BEC.
- Protect your devices by ensuring that all software is frequently being patched and updated. Ransomware exploits vulnerabilities, so make sure to use the latest versions of any software you have, and apply security patches promptly.
- Install and run Antivirus software - make sure that it's updated regularly!
- Ensure that you have firewalls and that they have been correctly configured. If you are not responsible for this, ask your IT manager/provider to confirm this has been done.
- Remote Desktop Protocol (RDP) allows administrators to connect remotely to computers over a network connection. If you have no need for RDP, consider disabling it. If you are using it, make sure that you:
- Employ strong/unique passwords (consider using the 'ThreeRandomWords' technique
- Review port security (e.g. consider reassigning default ports/disable unused ports)
- Use a VPN and Two-Factor Authentication for remote working
- Make use of monitoring tools on RDP
If you suffer a ransomware attack, do NOT pay the ransom. If you do pay, there is no guarantee that you will receive your data back. If anything, paying out means that you're likely to be targeted again. Report the crime to ActionFraud via phone 0300 123 2040 or website (https://www.actionfraud.police.uk).