Ransomware: Your organisation should be both protected and prepared Posted May 31, 2021 by NCSC

Recent high-profile ransomware incidents, both in New Zealand and abroad, offer a timely reminder to all New Zealand organisations about the importance of information security and cyber resilience. Preparation is everything. Your organisation needs to practise defence in depth to protect your systems and people against malicious cyber activity, and to be prepared for an incident should one occur.

Defence in depth

There is no one control that can be put in place to protect your systems from ransomware, and so the NCSC recommends a defence in depth approach to reduce the risks for your organisation. This involves:

• Layered defences that are capable of stopping malicious activity at different points at the boundary of and within networks; and

• Segmenting networks to limit the access a malicious actor has if they gain access to one part of your network, and

• Appropriate monitoring to enable the prompt identification, investigation and response to malicious activity when it occurs.

Your organisation should already be developing good information security practices and principles, such as user access management, the zero trust model, and legacy platform management.

Addressing the ransomware risk

As well as encrypting your data for ransom, ransomware actors will often exfiltrate (steal) your data prior to installing ransomware on your network. Actions that your organisation can take now to mitigate these risks include:

• Reviewing your systems to determine where sensitive information is stored (such as personally identifiable information, login credentials, and intellectual property) to inform an assessment on the risks associated with data exfiltration. This includes the potential loss of commercially sensitive data, as well as risks to the privacy of customers and employees, and the security of information systems on your own network and those of organisations they interact with. Consider whether encryption of your information is an option, both in transit (travelling across the network) and at rest (stored).

• Reviewing your organisation’s security posture in relation to a ransomware event. Does your organisation have any risk mitigation strategies or security uplift projects that could be more highly prioritised? Are there any patches or upgrades to critical systems which were previously deferred that can be brought forward?

• Re-emphasising security awareness. The NCSC recommends staff be reminded about security awareness. Ask them to be vigilant and tell them how to contact your organisation’s security teams should they receive any suspicious communications or see any strange activity on your organisation’s network. CERT NZ has guidance available on phishing scams here.

Incident management

Even if an organisation is up-to-date with patches and upgrades to critical systems, new zero-day vulnerabilities are frequently identified. This means your organisation should be well-prepared to manage an incident, with the perspective that one will eventually occur. The NCSC provides advice on how to approach this area of organisational planning in our Incident Management: Be Resilient, Be Prepared guidance document. Actions that your organisation can take now to be better prepared include:

• Reviewing your incident management plan. At the core of effective incident management is a well-established and tested plan. Your organisation should have defined roles and responsibilities for anyone involved, which will help identify what actions need to be taken should an incident occur, as well as who needs to be informed and when.

• Reviewing your organisation’s back-ups process. Regular testing of back-ups is an important way to have confidence in your organisation’s ability to respond to, and recover from, a ransomware event. Your organisation should understand the process of restoring from back-ups and have tested the process to ensure it can be done at pace.

Additional resources

The NCSC addresses some of the key development areas in cyber security for New Zealand organisations in our Charting Your Course: Cyber Security Governance and Supply Chain Cyber Security: In Safe Hands guidance documents.

More specific information on security controls can be found in the New Zealand Information Security Manual (NZISM), the New Zealand Government's manual on information assurance and information systems security, which is an integral part of the Protective Security Requirements (PSR) framework.

Our partners have additional information relating specifically to ransomware, as follows:

• Ransomware (CERT NZ)

• Ransomware guidance and resources (Cybersecurity & Infrastructure Security Agency USA)

• Ransomware (Australian Cyber Security Centre)

• Mitigating malware and ransomware Attacks (National Cyber Security Centre UK)

• Ransomware: Don’t get locked out (Canadian Centre for Cyber Security)

• Ransomware: How to recover and get back on track (Canadian Centre for Cyber Security)

If you believe your organisation may have been impacted by ransomware, please refer to this page.