valerybrozhinsky - stock.adobe.c
NCSC makes ransomware attack guidance more accessible
Following a swathe of high-profile ransomware attacks, the UK’s National Cyber Security Centre has made changes to its guidance, emphasising the importance of offline backups
The UK’s National Cyber Security Centre (NCSC) has updated its guidance to organisations on how to mitigate the impact of malware and ransomware attacks, retiring its standalone ransomware guidance and amalgamating the two in a bid to improve clarity and ease confusion among business and consumer users alike.
The NCSC said that having two different pieces of guidance had caused some issues as a lot of the content relating to ransomware was essentially identical, while the malware guidance was a little more up-to-date and relevant.
The service said the changes reflect to some extent how members of the public understand cyber security. For example, it implies a distinction between malware and ransomware even though technically speaking, ransomware is merely a type of malware.
“Not everyone who visits our website knows that. Furthermore, they might well search for the term ‘ransomware’ (rather than ‘malware’) when they’re in the grip of a live ransomware incident,” said a spokesperson.
“We want to be as helpful as possible to the people who need our guidance in a hurry. The best cyber security advice in the world is useless if nobody can find it.”
“For the same reason, we used ‘attacks’ rather than ‘infections’, ‘incidents’ or ‘compromises’ – as we know this is by far the most popular search term. These technical trade-offs are sometimes necessary, because the NCSC needs to make sure the language used in its guidance matches what's being used in the real world.”
The NCSC has also removed some of the more detailed technical content, as external feedback had shown that users tended to find this useful, in the hope of making what is presented more relevant.
Read more about ransomware
- Redcar & Cleveland Council’s systems remain offline three weeks after a confirmed ransomware attack.
- RobbinHood ransomware deletes cyber security defences from target systems by subverting Windows kernel memory settings.
- Ransomware attacks against the NHS have tapered off dramatically, according to statistics obtained under FoI legislation, but this does not mean the threat has diminished.
One part of the guidance that has been expanded, however, is a section emphasising offline backups as a more appropriate defence mechanism against ransomware, something to which it had not before drawn much attention.
“We’ve seen a number of ransomware incidents lately where the victims had backed up their essential data (which is great), but all the backups were online at the time of the incident (not so great),” said the NCSC’s spokesperson.
“It meant the backups were also encrypted and ransomed together with the rest of the victim's data. We’ve previously published a blog post recommending offline backups, but recent incidents suggest we need to emphasise the importance of this in our guidance as well.”
Keeping backups offline in theory means an organisation’s infrastructure will be entirely unaffected if an incident impacts the live environment. The cardinal rule of offline backups is that you should only connect the offline (or cold) backup to live systems when absolutely necessary, and never have all backups connected (or hot) at the same time.
According to the NCSC, using cloud services to hold an offline backup can be a good idea because it guarantees full physical separation from the live environment, but because cloud services cannot be unplugged, those going down this path are best advised to implement identity management and access controls.
The full guidance can be found online at the NCSC’s website. The guidance on whether or not one should pay a ransom to regain access to encrypted data is unchanged – the NCSC supports the National Crime Agency guidelines not to pay, because there is no guarantee that you will get access to your devices or data in return.