Share with your friends

Dealing with ransomware attacks are challenging enough in normal operating environments, but handling an attack during the coronavirus (COVID-19) pandemic adds additional difficulties. While the basics of protecting your organisation shouldn’t change during this pandemic; there are some additional complications that need to be considered.

Ransomware isn’t going anywhere

Criminal groups are increasingly switching to COVID-19-themed lures for phishing attacks aimed at exploiting your consumers’ and employees’ concerns over the coronavirus and the safety of their friends and family.

There’s also evidence that remote working significantly increases the risk of a successful ransomware attack. This increase is caused by a combination of weaker controls on home IT networks and a higher likelihood of users clicking on COVID-19-themed ransomware lure emails given our levels of anxiety.

Some current ransomware lures include:

  • Information about vaccines, masks and short-supply commodities like hand sanitiser.
  • Financial scams offering of government assistance payments during the economic shutdown.
  • Free downloads of high demand technology solutions, such as video and audio conferencing platforms.
  • Critical updates to enterprise collaboration solutions and consumer social media applications.

We’ve also seen a move towards more creative ways of extorting ransoms. These include ‘double extortion,’ where ransomware encrypts your data and forces you to pay a ransom to get it back and then sends your data to the threat actor, who threatens to release your sensitive data unless further ransom is paid.

Three main challenges

During the coronavirus pandemic, your organisation faces three simultaneous challenges.

  • The threat landscape is evolving and using COVID-19 as a lure to more successfully deposit ransomware in your network.
  • Preventative and detective controls may have had to be adapted to permit more flexible working practices.
  • The security team is having to manage incidents in unfamiliar conditions, including lockdown, with playbooks that don’t cater to these operating modes.

But there are steps that organisations can take to protect their networks and their staff from attacks.

Educate staff on the threat

The security function, compliance team, and internal audit team may be described as the first, second and third lines of defence. But when we consider phishing and ransomware attacks – users will always be on the front line so education and making them aware of the threats is important.

Businesses can help staff spot COVID-19 email attachments and website links that could contain ransomware by showing typical attack examples and providing tips on recognising lures.

  • Offer staff a practical guide on what to do if their device is compromised. Reassure them about any personal threats received, provide details on who to call and what to do with the infected device including disconnecting it from the internet.
  • Reinforce a no blame culture. It’s more important that staff feel confident to report incidents and allow the organisation to deal with the consequences.

Adapting to the new environment

There are some practical steps businesses can consider when defending its system against ransomware during the coronavirus pandemic:
  • Ransomware can overwrite incremental and other online backups. Take regular, full system backups of servers, databases and filestores, and ensure the validity of those backups.
  • Consider an additional archive copy of key servers and data sets that are stored off-line or in a form that can’t be tampered with by a criminal who acquires domain administrator rights.
  • Patching critical vulnerabilities even during change freezes remain as important as ever, including endpoint devices, with a particular focus on browser and productivity application vulnerabilities. Check whether devices are accepting updates by VPN.
  • Be more cautious in the configuration of email phishing controls. Flag emails which are external to the organisation, make it easy for employees to report suspicious emails (e.g. the report message add-in in Outlook), and use a COVID-19 community blocklist.
  • Consider more thorough checking of embedded email links, including blocking uncategorised websites, using Microsoft Advanced Threat Protection (ATP) safelinks functionality or using a DNS filtering service such as the Quad 9 from the Global Cyber Alliance. 
  • Many current attacks exploit scripting infections. Limiting the use of scripting languages and macros to users who need the functionality can reduce risk. Consider stricter ‘safelisting’ of programs to limit application use to productivity and necessary audio/video conferencing tools for most remote workers.
  • Encourage a stricter separation between personal and corporate devices, employees can use their own devices for personal email and browsing activity.

Rethink the response

Think through how your organisation would deal with a ransomware incident during COVID-19 before it happens.

  • Review ransomware incident playbooks and ask whether physical lockdown restrictions may change the way the incident is managed.
  • Ensure incident response teams can travel, that they have letters confirming their status as critical workers if challenged, and that they're able to gain access to key sites/premises which may not be fully manned.
  • Consider the need to augment your incident response team if key team members are incapacitated or in self-isolation.
  • Assess if an alternate incident response coordination and collaboration mechanism is required if your corporate IT and standard conferencing systems are disrupted by ransomware.
  • If remote working devices are encrypted, is there a means to provide replacement devices to priority users, or enable BYOD access for those users.
  • If there’s a need to rebuild corporate devices used for remote working, how will those devices be returned, are there any necessary hygiene precautions, and what’s the process for rebuilding those devices?
  • Plan a recovery sequence for servers to ensure key business processes can get back up and running, and ask whether those priorities have changed given new working models and patterns of demand.
  • Be realistic regarding timelines for full restoration of business services, which may be weeks rather than days. Work with business continuity teams to look at mitigations and workarounds, which may limit customer or corporate impact.
  • Understand what support any retained cyber incident response firm and existing cyber insurance policy can provide. Again, there may be limitations on the support those firms can now offer, mainly if international travel is involved.
  • Refresh the policy on ransom payments, taking legal advice if appropriate.
  • Practice an incident drill while working remotely.

Cyber security matters more than ever during coronavirus, and the risk of ransomware has increased as a result of the shift to remote working.

Be clear on priority actions that need attention for the first 72 hours if a ransomware incident occurs. Where will your organisation get the support it needs? Does lockdown constrain the ability to respond? And does the new working model change the priorities for business restoration?


If you have any questions regarding the content of this article and would like speak to someone from our team please contact us.