Mitigating malware and ransomware attacks

Mitigating malware and ransomware attacks

Summary

This NCSC guidance explains how organisations can reduce the likelihood, spread and impact of malware — including ransomware. It outlines a defence-in-depth approach with layered mitigations, practical actions to prepare (backups, patching, filtering and hardening), and clear steps to follow if an infection occurs. The guidance emphasises backups, limiting delivery and spread, preventing execution on endpoints, and incident preparedness and response.

Source

Source: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

Key Points

1. Use a defence-in-depth strategy: assume some malware will get in and layer mitigations to detect and limit impact.
2. Make regular, offline and tested backups stored separately from the network; verify backups before restoring.
3. Reduce delivery and spread by filtering mail, blocking malicious sites, protecting remote access (disable RDP if unused, enforce MFA, VPNs and IP allow listing) and patching exposed services promptly.
4. Prevent malware running on devices by centrally managing allowed applications, constraining scripting/macros, using up-to-date OSs and security software, and enabling host/network firewalls.
5. Prepare an incident response plan: identify critical assets, create playbooks, communication strategies, legal reporting processes, and exercise recovery steps regularly.
6. If infected: isolate affected devices immediately, consider network disconnection, reset credentials carefully, wipe and rebuild systems from clean backups, and scan/monitor before reconnecting.
7. Paying ransoms is discouraged: payment doesn’t guarantee recovery, perpetuates crime and increases future targeting; offline backups and protective monitoring are better mitigations.

Why should I read this?

Short version: read this if you care about keeping systems running and avoiding a nasty, expensive outage. It’s a compact, practical checklist from the UK’s NCSC — useful whether you’re hardening a large estate or just making sure backups actually work. Saves you the time of hunting through multiple sources for the essentials.

Author style

Punchy: this guidance is practical and action-focused. If you manage or protect systems, treat these recommendations as must-do basics rather than optional nice-to-haves.

Quick actions to take now

1. Verify and test offline backups; ensure at least one copy is air-gapped or offsite.
2. Disable unnecessary remote services and enforce MFA and IP allow listing on remote access.
3. Patch exposed services and apply security updates promptly.
4. Implement application allowlisting or equivalent endpoint controls and constrain macros/scripting.
5. Build/exercise an incident response playbook and know who to contact (reporting links in the source).