Skip to main content
Blog

How to cut your risks of a human-operated ransomware attack

Many ransomware attacks are not fully automated but involve individuals gaining access,  moving around your system and then deploying malware. Simon Dyson, NHS Digital’s Cyber Security Operations Centre lead, discusses how organisations can make it hard for them.

Author:
Date:
Photo of Simon Dyson in front of his computer at home.

The ‘new normal’ of working from home has accelerated the use of digital technology at a pace we would never have imagined back in January – bringing with it threats as well as benefits.

The nature of the threats we face has not changed significantly, but the way in which we now connect to our organisation’s networks remotely could offer opportunities for malicious actors. The range of remote devices makes the potential attack surface greater.

However, the launch of a centrally funded solution, NHS Secure Boundary, can protect NHS organisations from even the most sophisticated of cyber attacks.

Thwarting the deployment of malware

One of the favourite methods of attack is the deployment of malware – malicious software. A significant number of cyber attacks still begin with a fake email – a Phishing attempt – that aims to entice a user to click on a link to an illegitimate website or deploy malware from an attachment.

Malware can then cause massive disruption by:

One type of malware commonly seen in cyber-attacks is Ransomware, which encrypts and locks data on devices, preventing access or even exfiltrating or deleting it.  Often there is a demand for a ransom (hence the name) with a promise that the data will be made available once the payment has been made.

It’s therefore crucial to make regular off-site backups of important data, ensuring there are multiple copies and the devices on which backups are stored are not permanently connected to the network. 

These connections can be used as a target and a way in for attackers if they are exposed to the internet without appropriate security.

Organisations should take preventative action to reduce the likelihood of a successful attack in which human-operated ransomware can be deployed.  In the current climate, there is a significant increase in Remote Desktop Protocol (RDP) connections which allow devices to connect over the internet or a local network. These connections can be used as a target and a way in for attackers if they are exposed to the internet without appropriate security.

Multi-factor authentication should be used wherever possible, and users should be provided with the ability to connect via a Virtual Private Network (VPN) or a DirectAccess connection. Both of these can reduce the risk of a successful RDP attack because they encrypt the connection between staff and business systems which stops sensitive data being intercepted.

The potential impact of a human-operated ransomware attack can be significantly reduced by taking action to prevent attackers laterally moving from one device to another within a network, searching for any vulnerabilities.

Undertaking regular credential hygiene

Regular credential hygiene should be undertaken, ensuring users follow their organisation’s policies, preventing repeat passwords, introducing multi-factor authentication and ensuring an account lockout policy is in place. Unnecessary communication between endpoints should be reduced where possible as the more communication is allowed between devices, the more risk there is to mitigate.

Additionally, organisations should monitor for brute force attacks by checking excessive failed authentication attempts, ensure patching is up to date, address and remediate vulnerabilities, and secure perimeter connections via network and host-based firewalls, particularly for inbound connections. An access list, which specifies allowed connections based usually on IP addresses, helps to prevent malicious traffic entering the network.

Our Data Security Centre is on constant alert to obtain intelligence on threats and identify and successfully block malicious attempts across the NHS.

NHS Secure Boundary monitors local and national threats

NHS Secure Boundary can help you with this. The solution is at the forefront of protecting internet traffic from digital and cloud-based threats, through next generation firewall (NGFW) and web application firewall (WAF) protection.

This enables enhanced monitoring of local gateways – the devices or network nodes that send and receive data packets from the internet – and national visibility and intelligence allowing NHS Digital to correlate security event information on these applications. This gathering of national intelligence enables security risks to be more accurately identified, assessed and prioritised.

We must continue to evolve and develop to stay one step ahead. 

The solution now protects all the Health and Social Care Network internet traffic and is onboarding direct internet connections for NHS Trusts and CSUs. To learn more about this solution, please get in touch with the team at nhssecureboundary@nhs.net

It’s important to educate your staff and raise awareness of common cyber threats – they are an important layer in a defence in-depth strategy – having as many layers of defence as possible. There are a range of resources available to support you to do this, including our own "Keep I.T. Confidential" campaign materials and the National Cyber Security Centre's cyber security training for staff, to name a couple. 

We must continue to evolve and develop to stay one step ahead.  You can find out more about how we can help you further at our cyber and data security website

Related subjects

Share this page

Simon Dyson

Simon is the lead for NHS Digital's Cyber Security Operations Centre (CSOC), based in the Data Security Centre in Leeds. He is an information security professional who has experience in risk, assurance, operations and has tackled Ransomware as a cyber investigator working previously in law enforcement.

Latest blogs

A nurse checks out additional information on a patient's Summary Care Record.
By Tamara Farrar. 17 December 2020
As the coronavirus hit us in March, the Government made a significant change to the sharing of patient information for those working on the frontline in the NHS. Tamara Farrar, a user researcher at NHS Digital, looked at what that extra information meant for professionals in a wide range of different health and care settings.
Susie Day smiling
By Susie Day. 24 November 2020
Susie Day, Programme Head for the NHS App, explains how new features help support patients and clinicians to meet an increasing need for remote access to services during the pandemic and how they will improve healthcare after the current crisis.
Photo of James Reith working from home.
By James Reith. 19 November 2020
James Reith, Content Designer for the NHS App, explains how the NHS App integration team have improved their integration process to make it easier for partner services to innovate.
Last edited: 6 October 2020 2:23 pm