The cyber attacks that crippled many NHS computer systems on Friday has prompted organisations to advise on how better to deal, prepare and prevent future attacks.
Below is a summary of the prevention and recovery tips from NHS Digital, the Information Commissioner’s Office and the European Unions law enforcement agency, Europol.
Hackers spread ransomware, known as WannaDecryptor, to computers around the world on Friday, locking down files on an infected computer. The ransomware then demands money, in the form of Bitcoins, to be paid to release control of the files.
How bad is the damage?
According to Europol, the European Union’s law enforcement agency, the attack spread to 150 countries, affecting 200,00 computers. FedEx, Nissan, and the United Kingdom’s NHS were among the victims. There are currently 7 trusts and 13 health boards across England and Scotland still affected by Friday’s attack.
Europol: how to prevent a ransomware attack
- Back-up! Back-up! Back-up! Have a recovery system in place so a ransomware infection can’t destroy your personal data forever. Create two back-up copies: one to be stored in the cloud and one to store physically
- Use robust antivirus software to protect your system from ransomware. Do not switch off the ‘heuristic functions’ as these help the solution to catch samples of ransomware that have not yet been formally detected
- Keep all the software on your computer up to date. When your operating system (OS) or applications release a new version, install it. And if the software offers the option of automatic updating, take it
- Trust no one. Literally. Any account can be compromised and malicious links can be sent from the accounts of friends on social media, colleagues or an online gaming. Never open attachments in emails from someone you don’t know
- Enable the ‘show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like ‘.exe’, ‘.vbs’ and ‘.scr’
- If you discover a rogue or unknown process on your machine, disconnect it immediately from the internet or other network connections (such as home Wi-Fi) — this will prevent the infection from spreading
NHS Digital steps for health care organisations;
On Sunday NHS Digital released a statement advising all chief executives to obtain a comprehensive update against the action recommended which should include:
- the number of PCs and other windows-enabled devices that are within your estate i.e. the total number of devices in your organisation
- the number of PCs and other windows-enabled devices within your estate that have been infected with the ransomware resulting from Friday’s attack
- the number of PCs and other windows-enabled devices that have been patched and cleansed, and the number for which this process has not been carried out
- the number of windows-enabled diagnostic imaging and pathology devices that have been patched and cleansed, and the number for which this process has not been carried out
- the status of general patching throughout your IT estate, including whether your anti-virus and firewall protection meets the cybersecurity guidelines
- where prior windows patches have not been applied, a plan for them to be applied to the IT estate as a matter of urgency. All unpatched devices make your IT estate vulnerable.
NHS Digital patches to remove the vulnerability (that ‘WannaDecrypt0r’ ransomware has exploited)
- Infected computers should be disconnected from the network immediately, and before applying any patches
- The machine should be restored and built from a known good back-up before being entered back on to a clean network or any centralised deployment methods are utilised
- Patches can be deployed centrally by using systems such as WSUS, System Center Configuration Manager or third party update management solutions such as Zenworks
- It’s important to understand if the machines on your network have been patched, if you’re unsure please contact your local IT provider.
Information Commissioner’s Office top prevention tips:
- Check you have basic technical cyber protection against malware and that it is up to date
- Ensure all your devices have the latest necessary security patches
- Remove unnecessary user accounts (such as guest and unnecessary administrator accounts) and restrict user privileges to only what is necessary
- Remove or disable unnecessary software to reduce the number of potential routes of entry available to ransomware
- Segment your network so that if an attack does take place the damage you suffer is limited
- Importantly, your back-ups need to be protected from also being encrypted – make sure you have an offline and offsite back-up
- Train your staff to recognise a ransomware attack if it does manage to get past your anti-malware protection
Information Commissioner’s Office top recovery tips:
- Make sure you have an effective back-up policy and process in place and that this is working. Can you be sure the back-up will not be encrypted in the event of a successful attack?
- Make sure you can recover from a ransomware attack by testing your back-ups regularly
- Once you have removed the ransomware, ensure that you carry out a full security scan and penetration test of your systems and network – if attackers were able to get the ransomware onto your systems, they may have gained other access that you have not detected.
Twitter: social media’s response