Skip to main content

How to cut your risks of a human-operated ransomware attack

Many ransomware attacks are not fully automated but involve individuals gaining access,  moving around your system and then deploying malware. Simon Dyson, NHS Digital’s Cyber Security Operations Centre lead, discusses how organisations can make it hard for them.

The ‘new normal’ of working from home has accelerated the use of digital technology at a pace we would never have imagined back in January – bringing with it threats as well as benefits.

Photo of Simon Dyson in front of his computer at home.

The nature of the threats we face has not changed significantly, but the way in which we now connect to our organisation’s networks remotely could offer opportunities for malicious actors. The range of remote devices makes the potential attack surface greater.

However, the launch of a centrally funded solution, NHS Secure Boundary, can protect NHS organisations from even the most sophisticated of cyber attacks.

Thwarting the deployment of malware

One of the favourite methods of attack is the deployment of malware – malicious software. A significant number of cyber attacks still begin with a fake email – a Phishing attempt – that aims to entice a user to click on a link to an illegitimate website or deploy malware from an attachment.

Malware can then cause massive disruption by:

  • rendering devices unusable
  • stealing credentials to gain access to networks
  • controlling devices to form Botnets which can be used in further attacks
  • stealing, altering or encrypting data

One type of malware commonly seen in cyber-attacks is Ransomware, which encrypts and locks data on devices, preventing access or even exfiltrating or deleting it.  Often there is a demand for a ransom (hence the name) with a promise that the data will be made available once the payment has been made.

It’s therefore crucial to make regular off-site backups of important data, ensuring there are multiple copies and the devices on which backups are stored are not permanently connected to the network. 

These connections can be used as a target and a way in for attackers if they are exposed to the internet without appropriate security.

Organisations should take preventative action to reduce the likelihood of a successful attack in which human-operated ransomware can be deployed.  In the current climate, there is a significant increase in Remote Desktop Protocol (RDP) connections which allow devices to connect over the internet or a local network. These connections can be used as a target and a way in for attackers if they are exposed to the internet without appropriate security.

Multi-factor authentication should be used wherever possible, and users should be provided with the ability to connect via a Virtual Private Network (VPN) or a DirectAccess connection. Both of these can reduce the risk of a successful RDP attack because they encrypt the connection between staff and business systems which stops sensitive data being intercepted.

The potential impact of a human-operated ransomware attack can be significantly reduced by taking action to prevent attackers laterally moving from one device to another within a network, searching for any vulnerabilities.

Undertaking regular credential hygiene

Regular credential hygiene should be undertaken, ensuring users follow their organisation’s policies, preventing repeat passwords, introducing multi-factor authentication and ensuring an account lockout policy is in place. Unnecessary communication between endpoints should be reduced where possible as the more communication is allowed between devices, the more risk there is to mitigate.

Additionally, organisations should monitor for brute force attacks by checking excessive failed authentication attempts, ensure patching is up to date, address and remediate vulnerabilities, and secure perimeter connections via network and host-based firewalls, particularly for inbound connections. An access list, which specifies allowed connections based usually on IP addresses, helps to prevent malicious traffic entering the network.

Our Data Security Centre is on constant alert to obtain intelligence on threats and identify and successfully block malicious attempts across the NHS.

NHS Secure Boundary monitors local and national threats

NHS Secure Boundary can help you with this. The solution is at the forefront of protecting internet traffic from digital and cloud-based threats, through next generation firewall (NGFW) and web application firewall (WAF) protection.

This enables enhanced monitoring of local gateways – the devices or network nodes that send and receive data packets from the internet – and national visibility and intelligence allowing NHS Digital to correlate security event information on these applications. This gathering of national intelligence enables security risks to be more accurately identified, assessed and prioritised.

We must continue to evolve and develop to stay one step ahead. 

The solution now protects all the Health and Social Care Network internet traffic and is onboarding direct internet connections for NHS Trusts and CSUs. To learn more about this solution, please get in touch with the team at [email protected]

It’s important to educate your staff and raise awareness of common cyber threats – they are an important layer in a defence in-depth strategy – having as many layers of defence as possible. There are a range of resources available to support you to do this, including our own 'Keep I.T. Confidential'  campaign materials and the National Cyber Security Centre's cyber training for staff, to name a couple. 

We must continue to evolve and develop to stay one step ahead.  You can find out more about how we can help you further at our cyber and data security website.

Related subjects

Our NHS Secure Boundary service is a perimeter security project supporting NHS organisations. Find out how we can help you secure your organisation.
We protect our NHS and care organisations from cyber attacks and we monitor for new threats 24 hours a day. Our teams support organisations across the NHS with advice, assessments, and training.
John Noble, the non-executive director who leads on information and cyber security for the NHS Digital Board, looks at the cyber threat facing the NHS as it deals with the coronavirus (COVID-19) pandemic.


Last edited: 17 July 2023 12:50 pm