Ransomware and what your board may ask you

A blog on the UK’s National Cyber Security Centre (NCSC) website poses the question. “Ransomware: What board members should know and what they should be asking their technical experts”. Knowing the likely questions may help those responsible technical experts prepare in advance, or at least provide a checklist.

Ransomware attacks cause a lot of disruption to organisations, with victims taking a long time to recover and re-enable critical services. Moreover, these events can also be expensive and cause permanent damage to the organisation and its reputation.

So, what do you need to know about ransomware?

Ransomware is a type of malware that prevents you from accessing your computer or the data stored on it. During an attack, it will encrypt data making it inaccessible, stealing it or releasing it online or on the dark web.

Most ransomware is ‘enterprise-wide’, meaning it affects all machines on the network. Once they have accessed the systems, attackers often take time moving around. They also work out the storage location for critical data and backups. Armed with this knowledge the attacker can encrypt the entire network at the most critical moment. It is worth remembering that this is the attacker’s job, and they are good at it.

IT malware impacting on OT systems

Operational technology (OT) systems used by manufacturers are not immune from attacks and there is compelling evidence they are increasing. For example. malware BlackEnergy3, CrashOverride and TRITON use traditional IT attack techniques to reach OT networks and ICS devices, rather than making them a direct target.

In these cases, the attackers start with a foothold in IT networks then move further into the organisation. Their goal is to reach OT systems from inter-connected IT segments of the network they have access to, for example, through operator workstations.

The attacker will then demand a payment to unlock the computers and access data. Making payments often involves untraceable cryptocurrencies like Bitcoin. Yet, even if you pay the ransom, there is no guarantee you will get workable access to your computers or files. Furthermore, ransomers sometimes use the threat of releasing data to encourage payment from victims

One key point is the UK government advises against paying ransoms to criminals when targeted by ransomware as it may encourage further attacks.

It is not possible to completely stop an advanced, well-motivated adversary from getting into critical networks. But applying the NCSC’s Cyber Assessment Framework can make UK OT networks less attractive targets to sophisticated adversaries, while also helping to prevent accidental intrusion.

In the event of intrusion, fast and effective recovery is crucial. This makes it essential to conduct secure, offline backups of OT critical systems and device configurations. Also, to test critical system resilience, and practice recovery on a routine basis.

IT and OT managers have a responsibility to prepare for the inevitable intrusion into their system and can expect a hard time from their board. As an example, here are five key questions that board members may want to know from you about ransomware:

Q1. As an organisation, how would we know when an incident occurred?

Generally, there is a significant period (known as ‘dwell time’) between an attacker gaining access to your critical systems and the launch of the ransomware. Identifying unauthorised access to systems early can help stop an attack, so you need to consider:

– What monitoring is in place around those critical assets?

– Who checks the activity logs?

– How do staff report any suspicious activity?

– Are the thresholds for alerts set to the right level?

Q2. As an organisation, what measures do we take to minimise the damage an attacker could do inside our network?

Ransomware attacks cause damage and can spread fast within your systems, so the board may wish to know:

– How does the organisation authenticate and grant access to users or systems including M2M remote access?

– In what way would the organisation identify an attacker’s presence on the network?

– How is the network separated to limit access from one device?

Q3. Do we have an effective cyber incident management plan?

Organisations should think of ‘when’ rather than ‘if’ they experience a significant cyber incident and must plan their response with care and practice your response. A basic incident management plan should include:

– Identifying the key departmental contacts and incident response team

– Clear escalation routes and defined processes for critical decisions.

– Clear allocation of responsibility.

– At least one conference number is available for urgent incident calls.

– Guidance on regulatory requirements for reporting information breaches.

– Contingency measures for critical functions.

– Where can you access external resources?

Q4. Does your incident management plan meet the particular challenges of ransomware attacks?

There are features of ransomware attacks that more general incident management plans may not address. It is also important to discuss:

– How might we respond to a ransom demand and who decides?

– Are we prepared for a recovery that could take several weeks?

Q5. How is data backed up, and are we confident that backups would remain unaffected by a ransomware infection?

Ransomware often targets an organisation’s data backups, as this increases the likelihood of them paying. It is also essential that the board seek assurance on how backups are being made, and how secure they are, like:

– What data is ‘critical’ and how often is this backed up?

– How often is non-critical data backed up?

– Are you confident that you would be able to recover using these backups, and how often is this checked?

– Are backups stored securely and are they offline and kept in a different location from your network and systems, or in a cloud service?

And finally, ransomware resources available from NCSC.

Guidance on Mitigating malware and ransomware attacks

Blog: The Rise of Ransomware

Preventing Lateral Movement – Guidance for preventing lateral movement in enterprise networks.

Dealing with incidents

Incident Management: How to effectively detect, respond to and resolve cyber incidents

Planning your Response to Cyber Incidents from the Cyber Security Toolkit for Boards

Cyber Incident Response – companies who can help organisations who have been the victim of a significant cyber-attack.


Exercise in a Box – NCSC’s free exercising tool offering desk-based, simulation and micro-exercises

Guidance on Effective steps to cyber exercise creation