*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

Protecting your organisation from ransomware


Cyber-crime is a business much like any other, tools and approaches used by attackers are constantly changing and adapting to suit the ever-changing digital environment, and as organisations improve and adapt their security measures, cyber criminals change their methods of attack. The use of ransomware is becoming an increasingly popular tool, used by attackers to exploit businesses and extort money from them. But what is ransomware, who is at risk, and how can these potential victims defend themselves?

What is ransomware?

Ransomware is a form of malware that encrypts the data held on an infected machine and demands a ransom – usually payable in Bitcoin and often tailored to the size of the company – in order to release it and regain access to the device. This piece of malware will often spread to other devices on the network, meaning a whole organisation can be affected from just one compromised device.

In addition to this there is absolutely no guarantee that once the ransom has been paid the devices in question will be decrypted. In fact, sometimes affected devices will be wiped entirely after the ransom payment has been received. Even if the data is decrypted, the computer is still infected with the original programme which could potentially be reactivated at any time if no action is taken to remove it. Often companies that have fallen victim to, and paid out during, ransomware attacks are more likely to be targeted again in the future as they have already been identified as ideal targets. For these reasons organisations are highly discouraged from paying the ransoms, however once the ransomware is in place it is often the only chance of restoring the original data. Often, it’s all too tempting to just pay the ransom and hope the data will be restored.

But all is not lost, even if an organisation does decide to pay the ransom it is possible for cyber security experts, such as norm’s own Cyber Security Incident Response Team (CSIRT), to remove the malware from infected devices and help put the appropriate measures in place to prevent similar attacks.

But don’t just take our word for it, here are some examples of real-life ransomware attacks.


One of the most famous examples of a ransomware attack, WannaCry infected around 230,000 computers around the world in 2017. The software specifically targeted devices running on Windows and held their contents to ransom, demanding a bitcoin payment within three days or the permanent deletion of all files.

Here in the UK the attack notably targeted around one third of NHS trusts, resulting in somewhere close to 19,000 appointments being cancelled and ambulances being incorrectly re-routed. Not only is this an example of business interruption with the loss of appointments costing the NHS approximately £92m, it is a terrifying one that left multiple people without urgent medical attention.

It is still unknown whether any files were recovered, even after paying the ransom, in this case. Reports claim that a fault in the software meant that any payment received could not be associated with the user it came from, suggesting that even when their demands were met the attackers had no way of knowing where the payment came from, resulting in the ransomware remaining in place.

As shocking as this case study sounds it isn’t all necessarily bad news, the WannaCry attack was only so proficient at infecting devices because it exploited a weakness in an old version of the Windows operating system, and older Windows devices which were no longer supported. This has since been patched via an update available to all Windows users. In this case simply keeping up to date with software updates and regular patching would have been enough to prevent the attack, this is one simple and easy measure that all organisations can implement to improve their defences against attack. Something as simple as frequent and regular penetration testing will help to highlight this and similar weaknesses to an organisation’s systems and is an invaluable tool in the fight against ransomware.

Chubb insurers:

By comparison, more recent news reported that cyber insurance giants, Chubb, had fallen victim to a ransomware attack. In this case the attack was carried out by a cyber-criminal group called Maze who posted a statement claiming to have encrypted and stolen personal data from Chubb’s systems. The group then posted a number of email addresses of executives as “proof” and demanded a payment in order to keep the rest of the data safe.

Chubb released a statement following this claiming that there was an ongoing investigation, involving working with an external cyber security provider, but that there was no evidence that their systems had in fact been affected. However, no further information surrounding the alleged attack has been provided since and it is unclear whether the claim was simply a publicity stunt from Maze or whether Chubb dealt with it internally and paid the ransom.

In the wake of these claims a report was produced by cyber security intelligence firm Bad Packets stating that their vulnerability scans of the Chubb network had found Citrix servers on the network which are vulnerable to the CVE-2019-19871 vulnerability, and that Chubb had a remote desktop server which could easily be accessed by the public. Both of these were revealed easily by vulnerability scans and are both are huge security concerns, with the FBI stating that public access to remote desktops is around “70-80% of the initial foothold that ransomware actors use” while the CVE-2019-19871 vulnerability is known to have been exploited in the past for external users to hack into networks and install ransomware.

Not only is it hugely damaging for the reputation of a cyber insurer to be vulnerable to the very ransomware attacks they insure against, it is also concerning from a data protection point of view. Insurance companies in particular hold vast amounts of personal data that relate to their clients, often including addresses, full names, income information, and payment details. These organisations have a significant duty to ensure this data is protected to the best of their ability.

How can you protect yourself?

Keeping up to date with any operating system patches and updates is a basic and easy to execute defence. Combining this with regular penetration testing, vulnerability scans and patching will help to identify any areas of weakness that could be exploited by an attacker as potential entry points into your networks. Not only do these provide an invaluable and detailed insight into an organisation’s weaker areas, they are often also a requirement from a compliance perspective. They should always be carried out by a third-party provider rather than an in-house IT team in the interests of independence.

As well as a technology perspective, businesses also need to ensure they are correctly and effectively training their staff. Malware doesn’t just enter through technological weaknesses in networks, attackers can also deploy social engineering tactics to trick staff into opening compromised links or documents sent in cleverly crafted messages designed to deploy malware onto a device. The best way to combat this is with effective and regular staff training specifically relating to cyber safety and phishing, which should also be designed and delivered by a third party.

At norm. we have made it easy to protect your networks from ransomware attacks and other cyber security threats. Our managed Cyber Security as a Service (CSaaS) package provides everything you need to identify weaknesses, put in place defences, and comply with requirements from regulatory bodies – all at one low monthly fee. It also includes monthly, jargon-free reporting which gives your overall cyber stress score and provides recommendations on how to improve it.

As part of our CSaaS offering, we also provide access to our Cyber Security Incident Response Team (CSIRT) which is available 24/7 and provides access to cyber security and data protection experts. Our team works alongside your staff from initial incident identification, containment, malware removal, through to restoration of your services. We also liaise with the ICO on your behalf, if required.

We know no business wants to be interrupted by systems going offline, visit our website page dedicated to preventing cybercrime from taking business offline for more in depth information.

If you have fallen victim to a ransomware attack our team can help and are always available on our hotline: 020 3855 5303, alternatively you can contact us via email at help@normcyber.com

Isabella Gibson

Written by Isabella Gibson
Isabella Gibson is a member of the norm. sales team. She joins the team with a BSc in Biology from the University of Bristol and puts her well developed research and data analysis skills in to good use in her role. She is currently focusing her research on the benefits and risks of an increasingly digital working environment.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group