Security measures against ransomware and other malware attacks

NSM has a portal related to malware and ransomware attacks. All articles on this portal are in Norwegian, with the exception of the article you are now reading.

Summary

This article sets out recommendations for dealing with ransomware and other malware attacks. The recommendations are mostly derived from “NSMs ICT security principles version 2.0” (only available in Norwegian) but with some adjustments and additions to adapt them for this particular purpose.

The recommendations will 1) reduce the likelihood of being hit by such attacks, 2) limit the spread of malware in an enterprise, and 3) mitigate the consequences if the enterprise is hit.

There is no single measure that can prevent digital extortion. An enterprise needs to put in place a set of security measures to stop such attacks.

Many of the measures involve removing vulnerabilities. This includes:

1. Vulnerabilities relating to configuration and procedures for managing privileges and access rights.

2. Vulnerabilities in the architecture (e.g. in terms of networks and secure backups).

3. Software-based vulnerabilities (e.g. lack of security updates).

What is malware and ransomware?

Malware is malicious software used by an attacker seeking to harm or misuse the enterprise’s IT systems for their own ends. Their motivation can vary; it could be linked to espionage, vandalism, crime, political activism etc.

Ransomware is a type of malware used by an attacker for a specific purpose. The attacker’s aim is to prevent the enterprise from using its own IT system and forcing it to pay the attacker to escape the situation. It is done by either blocking/encrypting access to the enterprise’s files or by locking/blocking log-ins to a specific computer or service. The enterprise may also receive threats to publish its sensitive documents and other data if it fails to pay up.

This article describes technological and organisational measures needed to protect against malware in general and ransomware in particular. The measures are broadly overlapping for both malware and ransomware.

One key difference between general malware and its sub-category ransomware is that an attacker who uses ransomware will sooner or later wish to inform the enterprise of their presence in its system. Other malware (e.g. linked to espionage) can go undetected in the enterprise’s system for years. It is worth noting, therefore, that security measures against ransomware also prevent industrial espionage (and vice versa).

The article will hereafter primarily use the general term “malware”. It will be expressly stated if a measure is only relevant for ransomware.

Eight recommendation categories

The article describes 44 security measures across 8 recommendation categories:

Recommendation category 1: Make plans for preventing and reducing the consequences of malware attacks. The management must actively establish readiness plans and take measures to best prepare the enterprise for cyberattacks.

Recommendation category 2: Establish good procedures for backup and recovery. If the enterprise was to fall victim to ransomware, it should already have obtained the necessary capabilities to enable it to return to normal as quickly as possible.

Recommendation category 3: Prevent the attacker from entering and infiltrating the enterprise’s systems. It is important to limit the extent to which the enterprise’s systems are affected by the malware.

Recommendation category 4: Protect services accessible from external locations. Services which can be accessed externally (e.g. email servers) are often poorly protected. Attackers can and will exploit this.

Recommendation category 5: Prevent the attacker’s software from executing. These measures are important in order to stop or deter an attacker from carrying out all of their intended actions in the enterprise’s system.

Recommendation category 6: Make it difficult to extract enterprise data. One key aim of an attack is often to obtain relevant enterprise data. This could be in order to demand a ransom for not publishing the enterprise’s information, or it can be linked to state or industrial espionage.

Recommendation category 7: Deal with malware incidents. Once you discover that you are under attack you must take swift action to stop the attacker and restore your systems as quickly as possible.

Recommendation category 8: Product-specific advice. Most of the recommendations are product-neutral, but some of them concern specific products and have therefore been included in this recommendation category.

Target audience and scope

This article is aimed at IT managers, IT architects, IT operators and security experts in the public and private sectors. Readers will benefit from familiarising themselves with “NSMs ICT security principles version 2.0” (in Norwegian only) before reading the article.

The article is aimed at organisations and describes technological and organisational security measures. National and international measures are not covered by this article. For other measures, see e.g. “Ransomware Task Force report”.

Prioritizing security measures

Cyberattacks from malware can have major consequences for an enterprise. A string of measures are needed to create the best possible protection against such attacks. A short list of measures would not be sufficient to withstand such cyberattacks. The aim of this article is primarily to inform specialists in the field. However, NSM also believes it is worth suggesting where to begin. You could start by implementing the following eight measures (measure identifier in parentheses).

Reduce the potential attack surface for phishing and malicious code execution by:

1. removing administrator rights from end users (23),

2. introducing automatic security updates of all clients (20),

3. and stopping malicious code in documents (25 and 44).
 

Services which need to be accessible outside the enterprise’s network should as a minimum be protected by:

4. multi-factor authentication (14) and by removing default passwords (31),

5. network protections such as VPN (17–19),

6. introducing automatic security updates for all servers (operating systems and applications) which are running standard off-the-shelf software such as email servers, terminal servers etc. (29).
 

Generally, one should:

7. phase out all older IT products which are no longer supported with updates and new security functions (27),

8. and perform regular backups while preparing yourself for restoring systems as quickly as possible (7–13).

The most common points of entry for infiltrating a system with malware

Malware often enters an enterprise’s system via emails attempting to trick the recipient into activating malicious content in attachments, documents, or links.

The other main route is for the attacker to log into the enterprise’s systems using valid credentials. This is made possible because:

1. Many businesses leave their services openly accessible via the internet, i.e. without network protection such as VPN.

2. Regrettably, this is often combined with another vulnerability, which is the ease with which it is possible to guess the password of a valid user account, maybe even accounts used to manage the system.

3. Leaked passwords are another major problem. Users may have used the same password at the enterprise and on various websites, and one of those websites (which is beyond the enterprise’s control) has suffered a data breach resulting in the loss of usernames and passwords. Lists of login details are bought and sold by criminals in underground forums.

Generally speaking, such attacks can be described as follows:

1. The attacker somehow gains preliminary access to the enterprise’s systems (e.g. using one of the two main avenues described above).

2. The attacker makes further progress and manages to “move around” inside the enterprise’s systems.

3. The attacker is then able to increase their privileges and access rights.

4. The attacker carries out their intended action. This could be stealing sensitive documents/data belonging to the enterprise and/or sabotaging/hijacking the system so that the enterprise is no longer able to use it (e.g. by encrypting data).

See the MITRE ATT&CK guidelines for more information about the methods most frequently used by threat actors.

It is difficult to fully protect yourself from malware attacks. One single security measure is not enough. Multiple layers of security are needed to make the above attack routes more difficult for the attackers. Multiple layers will boost the enterprise’s resilience and robustness, and they can prevent or reduce the consequences of an attack.

Recommendation category 1: Make plans for preventing and reducing the consequences of malware attacks

Why is this important? The management must actively establish readiness plans and take steps to best prepare the enterprise for cyberattacks.

Recommendation:

1. Prepare a plan for technological measures. This means drawing up a plan for following up on the measures described in this article.

2. Prepare a security culture plan. It is assumed that the enterprise already has a plan in place for developing its ICT security expertise and security culture.

The security culture plan should include measures to make end users, managers and IT staff aware of the responsibility they bear for security. In the case of end users, it could for instance involve being conscious of a) what they are clicking on and opening in terms of attachments and links, and b) choosing better passwords (or even better: accepting the introduction of multi-factor authentication). For managers, it could for instance involve c) being good role models when it comes to security in practice, d) highlighting how security is just as important as other business objectives, and e) supporting IT staff in implementing the measures described in this article in the best possible way.

It is important that all staff know why they are not permitted to do whatever they like on their computer, i.e. why their computer is security-hardened and managed centrally. It means there is a reason why they cannot install and run any software they want. Explain that this part of the objective is to not give individual employees responsibility for security (reducing liability or “blame”). Also point out that personal business must be conducted on personal devices, alternatively on work mobiles permitting non work-related use.

An enterprise’s security culture is otherwise not within the scope of this article. You can read more about security culture on our website as well as the Norwegian Digitalisation Agency’s guidance, both only available in Norwegian.

3. Identify the enterprise’s main assets and services. It is important that the enterprise knows how to respond before it is faced with an incident/crisis. What are its main assets and services that should be given priority? Consider and decide what the enterprise should do in the following scenarios: a) you can no longer trust your own data and services (loss of integrity), b) confidential data has gone astray, and c) you can no longer access your own data and services (loss of availability).

4. Prepare the enterprise for a cyberattack. a) Prepare the business side of things in respect of suppliers and customers (delivery failure) and identify the most critical services (see also measure 3). b) Have a communication plan ready for a potential incident. c) Address legal matters in advance. d) An incident can take place at any time of the day and last for weeks and months. Plan how to replace personnel to prevent critical staff from burning out. e) Practise for potential incidents and test your ability to restore activity.

5. Determine in advance the legal, financial, security-related, decision-making, ethical and reputational ramifications of paying a ransom. You must be prepared to receive a demand for a) ransom to unlock encrypted files, and b) ransom to prevent the enterprise’s confidential files from being published. c) Also give thought to what kind of negotiating strategy you wish to pursue with the attackers, not necessarily in order to pay them but to buy time. d) Some enterprises may feel forced to pay up for various reasons. They must then know how to obtain cryptocurrency (and understand the potential legal barriers to doing so).

NSM advises enterprises NOT to pay ransoms. This is because i) there is no guarantee that the attacker will not carry out their threat after payment, and ii) data may still be sold on. If you do make payment, you signal that you are willing to pay, thus iii) increasing the likelihood of being attacked again in the future. Even after making payment iv) your computer(s) will still be infected with the attacker’s malware. You will therefore still not be able to trust your own IT equipment. And last but not least, v) if you pay, you are effectively funding criminal activity.

6. Improve procedures for alternative communication channels when dealing with an incident. a) These channels should be completely separate from the organisation’s own infrastructure (including from its main IT services providers in the event that it is they who are hijacked) in case these are unavailable or suspected to be monitored by the attacker. b) Contact information and emergency response information should also be available offline or on paper. This information needs to be easily accessible in a crisis and not exclusively stored in a system that may have been hijacked.

Recommendation category 2: Establish good procedures for security backups and recovery

Why is this important? If the enterprise were to fall victim to malware in the form of ransomware, it should already have obtained the necessary capabilities to enable it to return to normal as quickly as possible. You will then need up-to-date and trusted backup copies of data and systems along with good and, insofar as possible, non-manual methods for swift recovery. You also need to have a good idea of how long it will take to restore your systems. This means you should practise restoring your system. Many organisations are surprised to discover how time-consuming it can be to restore a system when suffering an actual cyberattack.

Recommendation:

7. Always stay on top of systems that the enterprise needs to be able to restore in a crisis. Adjust your emergency response plans accordingly. Remember that you need to restore all critical infrastructure as quickly as possible, whether it is running/stored in the cloud or locally. a) You must be able to restore all virtual and physical clients and servers using a minimum of manual operations. This means having automation-friendly backup and recovery capabilities (scriptable), e.g. it should be possible to back up or restore a group of computers in a single operation. This includes b) master images and templates for virtual machines. These must be kept up to date at all times. c) All configuration of operating systems, applications and databases must also be kept up to date and be automation friendly. All d) installation software must be quickly accessible and write-protected against most accounts. This could be operating systems, application software on clients and application software for servers.

8. Maintain your ability to protect and restore central ICT infrastructure. A number of operational ICT systems are essential for the rest of the ICT system to work. It can have serious consequences if these central ICT systems are hijacked or sabotaged: a) Domain controllers must be protected and be able to be restored quickly, including any PKI servers. This measure also applies to b) the system for running the virtual infrastructure (the enterprise’s and that of the provider), c) the system for managing clients and servers (MDM etc.), d) systems for central security updates, and e) systems for security monitoring.

9. Maintain your ability to restore information. This includes files and documents on clients, file servers, in cloud storage and database content. Avoid storing files exclusively on clients.

10. Make backup copies as often as your enterprise’s needs dictate. Your enterprise must be able to recover lost or altered business data, software and system configurations.

11. Determine where to write and store your backups and protect them against hijack. All backups must be protected against overwriting/encryption, manipulation and copying by attackers. This is becoming increasingly important because ransomware authors are now more likely to encrypt the security backups before encrypting the production files. As a minimum, a) there should be an adequate security barrier between backups and “production” (in terms of network, domain, rights) with limited access between the two. b) Create multiple backups with different backup solutions and different storage locations (also remember the risk of fire and burglary). Avoid having a “monolithic” solution for security backups. Copies in commercial clouds can also fail / be hijacked, either because of incorrect configuration by the customer or because the cloud host has made an error or has been hijacked. You should therefore consider having more than one backup solution. c) Completed backups should be write-protected, alternatively use WORM solutions. Depending on the needs and size of the enterprise, you can d) store backups on tape, in the cloud(s), on USB discs, NAS, separate SANs. Switching between these solutions will ensure diversity. e) Enterprises should consider whether backups should be stored abroad and whether some or all backup services can be managed from abroad (with respect to digital sovereignty). See also “Offline backups in an online world” (NCSC-UK).

12. Secure backups. Backup operations should be carried out using dedicated system management accounts (which are used for nothing else) and dedicated workstations (Privileged Access Workstations (PAW)) located behind dedicated firewalls only permitting access by approved IP addresses. Operations should only be accessed using multi-factor authentication (ensure that authentication cannot be hijacked).

13. Train the enterprise in rapid recovery. a) Enable measure 7–12 in the best way possible. b) Practise and measure the time and work that goes into recovery. From experience, recovery takes much longer than most people expect. For example, practise i) restoring a domain controller, and ii) re-installing a large number of clients. This will normally throw up a few surprises. For that reason you should test your recovery plans periodically (and adjust your emergency response plans accordingly). The aim is to verify that information and systems can be restored in accordance with the plan. c) Determine whether certain dependencies make it necessary to restore things in a given order. d) Include in the plans how swift purchases of IT equipment require good contracts and a predictable global delivery situation without pandemics and geopolitical crises.

Recommendation category 3: Prevent the attacker from entering and infiltrating the enterprise’s systems

Why is this important? It is important to prevent or restrict malware from entering the enterprise and infiltrating its systems. The fewer sub-systems that are affected, the easier it can be to deal with the incident and limit the damage.

Recommendation:

14. Simple passwords should not be used to access services (and operating systems). Passwords will be cracked sooner or later (end user and service administrator passwords). Use good and strong passwords or adopt multi-factor authentication. This is especially important with heightened administrator privileges. Ensure that you deactivate all obsolete log-in credentials after introducing multi-factor authentication so that multi-factor cannot be bypassed.

This step is important because users either i) choose passwords which are common and easy for an attacker to guess, or ii) reuse the same passwords at work and privately. Passwords used for multiple online services are and continue to be compromised. Lists of compromised passwords circulate amongst criminals or are published for all to see. Such lists now include many millions of passwords linked to names and email addresses. They also include a large number of Norwegian users.

This measure should be introduced for as many devices/services as possible.

15. Use web and email filtering to block attachments and data with known harmful content (and unwanted content, i.e. spam). Examples of such content are: software, shell code, software contained within documents (document macros), known malware, known suspect IP addresses and domains etc.

16. Security-harden the enterprise’s services (including the operating system on the server they are running on). Applications are often accompanied by instructions on how to harden them. Use these instructions. The same goes for software as a service. The key thing here is to switch off all functionality you do not need. These functions can be misused by an attacker.

17. Don’t leave services directly accessible on the internet. Instead, grant access to the service only via VPN or by using other, more modern network protections such as the techniques described in measure 18. VPN access should not rely on single passwords, see measure 14.

18. Set up access control on as many network ports as possible. You can do this in a variety of ways. Please use search terms such as “micro segmentation”, “zero trust network architecture”, “software defined perimeter – SDP”, “software defined networking – SDN” for more information. (Not all of these technologies are necessarily directly linked to security, but NSM has found that anything which reduces manual configuration helps eliminate errors and improve network security.) VLAN-based partitioning (also known as macro segmentation) can also be an option if you are skilled at segmenting and configuring data flow between segments. You could also consider a combination of macro segmentation (VLAN-based) and micro segmentation. Network ports can be wired, radio-based or virtual.

19. Control data flows across the enterprise’s network. Control the information exchange between the different segments of the enterprise’s network. See also measure 18.

20. Block all direct traffic between clients. This will prevent an infected client from spreading malware directly to other clients. This is particularly relevant where different clients have different access rights to different systems, something which can result in rapid proliferation of malware to the enterprise’s various systems. See also measure 18.

21. Regularly identify and remove “forgotten” computers, services and user accounts. Everything that is not genuinely in use (and in practice forgotten) has been shown to increase the attack surface and provide an easy way in for an attacker.

22. Set up appropriate system monitoring of networks, clients and servers. Pay particular attention to a) unusual activity by accounts with administrator privileges or system management accounts. Unexpected use of sensitive accounts with “domain admin” rights is especially suspect. Look out for b) large, unexpected data streams which could indicate attempted exfiltration. c) Monitor any unexpected use of system management tools such as psexec, WMI, Powershell, cmd, ssh, etc.

The MITRE ATT&CK guidelines describe a number of other hostile actions that you should be aware of in order to detect malware activity.

A common problem is when an attacker spends weeks and months within an enterprise’s system before being detected. The better your system monitoring, the quicker you can begin to reduce the damage.

Recommendation category 4: Protect services accessible from external locations

Why is this important? Some services/servers must be accessible from outside the enterprise’s network. Examples include email servers (e.g. Exchange) and remote access services (e.g. RDP). Unfortunately, these services are often poorly protected, allowing threat actors to exploit them.

This is also true for SaaS services where the customer has failed to carry out sufficient security configuration.

If password hygiene is poor, it can be easy for an attacker to guess (weak) passwords and gain access. The job is made even easier for the attacker if the compromised account has system privileges. If a server/service has not been updated, its vulnerability and risk of being compromised increase.

Recommendation:

Single passwords should not be used to access services (and operating systems). See measure 14.

Do not leave services directly accessible via the internet, see measure 17.

Adopt good procedures for quickly updating software (server application and operating system). See measure 29.

Recommendation category 5: Prevent the attacker’s software from executing

In this section we look at what happens when malware, despite having implemented the aforementioned recommendations, makes it into the enterprise’s ICT systems. You now have to prevent the attacker’s software from launching and executing. The section focuses on reducing the attacker’s scope for causing damage to the enterprise’s ICT systems.

Why is this important? Preventing the attacker's code from executing is important because it makes it difficult/impossible for the attacker to 1) gain an initial foothold inside the system, 2) explore the enterprise’s ICT systems, 3) encrypt the enterprise’s data, 4) download additional malware, 5) delete traces of themselves, and 6) exfiltrate the enterprise’s data. 

Recommendations on preventing execution of unknown code on clients:

23. Do not give users administrator privileges on the client. If the user has heightened privileges, the attacker will acquire those very same privileges. Reduced privileges can help prevent the attacker from blocking access to the computer(s) (a variant of ransomware). Ordinary users should never be granted such rights unless absolutely necessary.

24. Consider which types of users need to be able to execute all your software. Most enterprises allow all users to execute all kinds of software by default. Not all users should be able to run software which is not included in a) an app store, b) the enterprise’s mobile device management solution, or c) an approved list of executable software code which is checked when someone attempts to execute it. If the enterprise has the tools for it, it should also d) block end users from starting scripting engines such as powershell*.exe, for example. It is not sufficient to only block unknown scripts.

25. Prevent software contained in documents from being executed. This applies to macros in Office documents and JavaScript code in PDF documents. a) Prevent document code from being able to call other processes, see measure 44. b) Block such documents with email or web filters if they come from an external party, cf. measure 15. c) Permit only enterprise-approved macros to execute.

Additional recommendations on preventing execution of unknown code on both clients and servers:

26. All clients and servers should be managed by the enterprise using a centralised management tool (with domains, with mobile device management or similar). Remember that mobile phones are also clients.

27. Phase out older software (operating systems and applications) and hardware no longer supported by the provider. Older versions of IT products often have multiple vulnerabilities and less up-to-date security functions (e.g. may support only single-factor authentication) compared with more recent versions.

28. Remove/deactivate unused software functionality that you do not need. a) Only install applications that are needed to meet your business needs, and b) uninstall/deactivate software/applications which are not in use, including software included with the operating system. c) Only accept enterprise-approved application plugins. d) Deactivate functionality in browsers, PDF readers and Office which is not required. e) Deactivate rarely used / unused protocols that can be abused, e.g. IMAP, IMAPS, POP and POPS. Also deactivate support for older versions of the SMB protocol. f) Block traffic in the client and server firewall to only follow the permitted data flow. You could also explicitly block TOR traffic (misused for exfiltration). g) Block or verify the use of app stores which may accompany SaaS services (an additional way in for unknown software).

29. Use automatic software security updates wherever possible. Software vulnerabilities in operating systems and applications should be eliminated as quickly as possible before they can be exploited by attackers. NSM has noted that automatic server software updates tend to be met with more scepticism than automatic client updates. NSM urges enterprises to use automatic server updates as a minimum in cases where only standard off-the-shelf software is being used, e.g. email servers, remote access servers etc. Experience shows that servers with standard software are particularly vulnerable as attackers can hijack them before the enterprise is able to update them manually. Alternatively, you can compensate with multi-factor authentication (measure 14) or good network protection (measures 17–18). However, we also recommend using automatic updates in addition.

Security updates are extremely important, but NSM wants enterprises to understand that it is unrealistic to assume that “faultless” software is the main security barrier. There is no such thing, not before and not after you have performed a security update. Being on the ball and removing software vulnerabilities does not mean you are sufficiently protected against attack. You must also remove other vulnerabilities relating to architecture, rights and configuration, cf. other recommendations described in this article.

30. Use malware scanning (antivirus/antimalware) to detect known malware. Such products are often combined with some kind of anti-phishing functionality, which is a good thing. Some enterprises use malware scanners as their only defence against the execution of malicious code. Antivirus/antimalware software is not enough to stop malicious software from executing. Malware, including ransomware, succeeds time and time again even though almost all enterprises have been buying security software for more than 20 years. More enterprises need to realise that security software does not in itself do much to remove vulnerabilities. Please note that some of these products/services have built-in functions that can help remove vulnerabilities by preventing alien code from executing. If such functions do exist, use them. See examples in measure 44. However, most of these products primarily focus on known threats. You should therefore also work to remove as many vulnerabilities as possible by implementing the recommendations described in this article. Try to find a balance between dealing with threats and removing vulnerabilities.

The following recommendation does not apply to the execution of malware in particular, but it describes measures that will be relevant to a number of devices in an enterprise’s system.

31. Change all default passwords on ICT products before deployment. a) This includes applications and operating systems on clients and servers as well as b) routers, firewalls, printers and wireless access points.

32. Consider whether all users need write privileges to all shared files. You should consider whether all employees need write privileges to all shared folders and documents. Read privileges will suffice in some cases. This can limit the ability of ransomware to encrypt files.

33. Activate security functions built into products and services. Providers of various already bought products and services may have built in functionality that could prove to be effective barriers to malware. Use them for clients (see example in measure 44) and for servers and services.

Recommendation category 6: Make it difficult to extract enterprise data

Why is this important? Both general malware and ransomware will often attempt to extract enterprise data. This is often described as exfiltration. In some instances it can be for the purpose of various types of espionage. Some types of ransomware see the attacker threaten to publish the enterprise’s documents if it fails to pay a ransom. There are also examples of stolen data being auctioned in criminal circles. Please note that exfiltration of customer data, for example, may legally require you to notify your customers.

Recommendation:

Make it impossible/difficult to execute exfiltration software. For exfiltration to take place, the attacker’s software code must be able to execute, or the attacker must be able to execute/misuse software included in the operating system. See measures 23–30 to make execution impossible/difficult.

Control of data flows can prevent transfer of data. See measures 18-–20.

System monitoring must be configured to detect unknown data streams. See measure 22.

Recommendation category 7: Deal with malware incidents

Why is this important? Once you discover that you are facing a malware attack you must take swift action to stop the attacker and restore your system as quickly as possible.

We assume that the enterprise already has general processes in place for dealing with incidents. The recommendations below mostly address malware incidents.

Recommendation:

34. Inform all affected parties, internally and externally, in line with your planned communications strategy. The contact information is only applicable to Norwegian enterprises. It is important for everyone involved to get the correct information quickly. NSM recommends that a) incidents involving active exploitation be reported to the NCSC-NOR operating centre on [email protected] or telephone 02497 (+47 2331 0750). This will better enable the NCSC-NOR to consider the national threat situation and provide assistance to deal with the incident. Please also quickly inform the relevant sector CERT if there is one. Threats involving active exploitation should also be b) reported to the police. c) Adhere to the rules requiring you to inform external parties (e.g. customers). d) Such attacks rarely affect only one enterprise. Co-ordinate with other enterprises in the same situation. You will benefit from being transparent about the situation, as a minimum within your sector (health, education, energy, etc.) or in various collaborative forums (using trusted channels).

35. Disconnect computers you suspect have been infected. This could be stationary clients, laptops, mobiles, servers and virtual cloud servers. Email servers and RDP servers are often repeat offenders in this respect.

36. Consider disconnecting parts of your network. Depending on how critical the situation is, you should consider disconnecting the internet, wireless networks, parts of the wired network, switches and virtual networks. It is often the most sensitive sub-systems that need to be temporarily disconnected. This requires you to understand in advance the consequences of what you are doing and have emergency response plans ready before taking action. Sub-systems which have already been affected should be completely isolated from other sub-systems.

37. Consider changing the passwords for all accounts on the servers and services that have been compromised. It may well be that all passwords have been fully or partially compromised. a) As a minimum, you should change the passwords on all system management accounts for applications and operating systems in the compromised ICT systems. This can be time-consuming, so check that the systems are indeed compromised first. If there are signs that a domain controller has been compromised, you definitely need to change passwords. b) If administrator accounts for a compromised server also have domain admin rights (not a good practice), the domain controller(s) may also be compromised. You should remove such privileges immediately and swiftly change the password. Consider restoring the domain controller(s) from scratch. This is to ensure the security of the enterprise’s other ICT infrastructure, not just a single server. c) Ensure that you do not lock yourself out of your system by a mistake when changing the password.

38. Reinstall all software on infected devices. This applies to operating systems, applications, application plugins and system configurations. If a device becomes compromised, it is difficult to trust it until everything has been reinstalled. When it comes to data, you need to restore from the latest trusted backup.

39. Check whether firmware is affected. (This is advanced material.) Firmware includes UEFI/BIOS and other software in various hardware components. If the firmware has been manipulated by malware (rare), it is usually best to decommission the computer (client or server) as you can no longer trust it (reinstalling the operating system and applications will not help). However, if you are willing to take the risk, we recommend updating the firmware and reviewing the settings to see whether they offer adequate security (requires specialist expertise).

40. Only use backups that you fully trust when restoring. It can be difficult to know how long the malware has been present in your system. It may therefore not be wise to use the most recent (possibly infected) security backups. As a minimum, you should run an up-to-date malware scanner on the chosen backup copy to check for known malware in it (this requires the scanner to be familiar with the malware in question).

41. Restore devices on a part of the network you know not to be compromised. Restoring in this context refers to the downloading, installation, updating and configuration of software.

42. Resume system monitoring of restored devices. This is to ensure that the malware has been completely removed. If the monitoring suggests otherwise, a) you have overlooked some devices, b) the restore was not sufficient in the case of one or more devices, or c) the firmware has been infected (rare).

43. Learn from the incident. When everything has returned to normal you should carry out an evaluation. Learn from it so that next time the impact will not be so severe.

Recommendation category 8: Product-specific advice

All of the above-mentioned recommendations are product neutral. They do not refer to specific products, services or providers.

NSM has found that most malware is tailored for devices running on Windows. It is therefore appropriate to provide some product-specific information.

Recommendation:

44. Use security functionality built into the operating system. As a general rule, it is sensible to use security functionality built into the ICT product. For Windows it is recommended that you consider built-in security features such as “Attack Surface Reduction” (ASR) in order to block calls to powershell etc. from document macros and PDF macros (Adobe Reader). The “Controlled folder access” function is another built-in feature which permits only software approved by the enterprise to overwrite documents in defined file folders. This can stop encryption malware. See “Basic measures to protect against ransomware in Windows 10” (in Norwegian only) for the supplier’s recommendation. Please note that such functions may require you to use the supplier’s antimalware solution. You should therefore check whether similar functionality is offered with other antimalware solutions from other suppliers.

More information

“NSMs ICT security principles version 2.0” (in Norwegian only) offer advice on how to protect yourself against malware, amongst other things. Much of this article is a summary of the security measures described in NSMs ICT security principles.

The security measures listed in this article are also available in table format as a spreadsheet, only in Norwegian.

This article is partially inspired by an article issued by UK authorities, see “Mitigating malware and ransomware attacks”.

Change log

2023-03-30: First English version