Skip to main content

How to cut your risks of a human-operated ransomware attack

Many ransomware attacks are not fully automated but involve individuals gaining access,  moving around your system and then deploying malware. Simon Dyson, NHS Digital’s Cyber Security Operations Centre lead, discusses how organisations can make it hard for them.

Photo of Simon Dyson in front of his computer at home.

The ‘new normal’ of working from home has accelerated the use of digital technology at a pace we would never have imagined back in January – bringing with it threats as well as benefits.

The nature of the threats we face has not changed significantly, but the way in which we now connect to our organisation’s networks remotely could offer opportunities for malicious actors. The range of remote devices makes the potential attack surface greater.

However, the launch of a centrally funded solution, NHS Secure Boundary, can protect NHS organisations from even the most sophisticated of cyber attacks.

Thwarting the deployment of malware

One of the favourite methods of attack is the deployment of malware – malicious software. A significant number of cyber attacks still begin with a fake email – a Phishing attempt – that aims to entice a user to click on a link to an illegitimate website or deploy malware from an attachment.

Malware can then cause massive disruption by:

  • rendering devices unusable

  • stealing credentials to gain access to networks

  • controlling devices to form Botnets which can be used in further attacks

  • stealing, altering or encrypting data

One type of malware commonly seen in cyber-attacks is Ransomware, which encrypts and locks data on devices, preventing access or even exfiltrating or deleting it.  Often there is a demand for a ransom (hence the name) with a promise that the data will be made available once the payment has been made.

It’s therefore crucial to make regular off-site backups of important data, ensuring there are multiple copies and the devices on which backups are stored are not permanently connected to the network. 

These connections can be used as a target and a way in for attackers if they are exposed to the internet without appropriate security.

Organisations should take preventative action to reduce the likelihood of a successful attack in which human-operated ransomware can be deployed.  In the current climate, there is a significant increase in Remote Desktop Protocol (RDP) connections which allow devices to connect over the internet or a local network. These connections can be used as a target and a way in for attackers if they are exposed to the internet without appropriate security.

Multi-factor authentication should be used wherever possible, and users should be provided with the ability to connect via a Virtual Private Network (VPN) or a DirectAccess connection. Both of these can reduce the risk of a successful RDP attack because they encrypt the connection between staff and business systems which stops sensitive data being intercepted.

The potential impact of a human-operated ransomware attack can be significantly reduced by taking action to prevent attackers laterally moving from one device to another within a network, searching for any vulnerabilities.

Undertaking regular credential hygiene

Regular credential hygiene should be undertaken, ensuring users follow their organisation’s policies, preventing repeat passwords, introducing multi-factor authentication and ensuring an account lockout policy is in place. Unnecessary communication between endpoints should be reduced where possible as the more communication is allowed between devices, the more risk there is to mitigate.

Additionally, organisations should monitor for brute force attacks by checking excessive failed authentication attempts, ensure patching is up to date, address and remediate vulnerabilities, and secure perimeter connections via network and host-based firewalls, particularly for inbound connections. An access list, which specifies allowed connections based usually on IP addresses, helps to prevent malicious traffic entering the network.

Our Data Security Centre is on constant alert to obtain intelligence on threats and identify and successfully block malicious attempts across the NHS.

NHS Secure Boundary monitors local and national threats

NHS Secure Boundary can help you with this. The solution is at the forefront of protecting internet traffic from digital and cloud-based threats, through next generation firewall (NGFW) and web application firewall (WAF) protection.

This enables enhanced monitoring of local gateways – the devices or network nodes that send and receive data packets from the internet – and national visibility and intelligence allowing NHS Digital to correlate security event information on these applications. This gathering of national intelligence enables security risks to be more accurately identified, assessed and prioritised.

We must continue to evolve and develop to stay one step ahead. 

The solution now protects all the Health and Social Care Network internet traffic and is onboarding direct internet connections for NHS Trusts and CSUs. To learn more about this solution, please get in touch with the team at

It’s important to educate your staff and raise awareness of common cyber threats – they are an important layer in a defence in-depth strategy – having as many layers of defence as possible. There are a range of resources available to support you to do this, including our own "Keep I.T. Confidential" campaign materials and the National Cyber Security Centre's cyber security training for staff, to name a couple. 

We must continue to evolve and develop to stay one step ahead.  You can find out more about how we can help you further at our cyber and data security website

Related subjects

Share this page

Simon Dyson

Simon is the lead for NHS Digital's Cyber Security Operations Centre (CSOC), based in the Data Security Centre in Leeds. He is an information security professional who has experience in risk, assurance, operations and has tackled Ransomware as a cyber investigator working previously in law enforcement.

Latest blogs

Call handler Freddie Irvin is at his desk taking calls for the NHS 111 service in Norfolk
By Freddie Ivin, Gina Gill. 16 October 2020
On #StartAHeart day, Freddie Ivin, a call handler for the NHS 111 service in Norfolk, explains the vital training role NHS Digital plays in helping call handlers deal with CPR calls, and Gina Gill describes the impact of a call she received about a man who had stopped breathing in her role as a NHS 111 Health Advisor for the Yorkshire Ambulance Service.
Sarah Wilkinson, CEO of NHS Digital
By Sarah Wilkinson. 25 September 2020
Clinical data is acutely private and confidential, and patients rightly demand that it is handled with great care. Sarah Wilkinson, Chief Executive of NHS Digital, explains more.
Photo of Tahmina Rokib, Clinical Lead for Digital Medicines at NHS Digital, in a pharmacy
By Tahmina Rokib. 27 August 2020
Tahmina Rokib, Clinical Lead for Digital Medicines at NHS Digital, talks about how electronic notifications giving details of urgent medication issued by community pharmacies, keep GPs fully informed and patients’ records up-to-date.
Last edited: 6 October 2020 2:23 pm