Increase in Gootloader infections
NCSC has observed an increase in organisations across multiple sectors being infected by Gootloader.
Gootloader is strongly believed to be a prevalent strain and a strong indicator of pre-ransomware activity. If an organisation has detected Gootloader, immediate action should be taken to remove Gootloader to prevent possible future deployment of ransomware.
We believe the current attack vector is being done by a user conducting searches using a search engine for business related documents and templates, eg financial agreements and business contracts etc. The user is then directed by the search engine to compromised websites; once the document is downloaded this will contain a Javascript file known as ‘Gootloader’.
Gootloader uses search engine optimisation to direct users from search engine results to compromised websites, where they are encouraged to download a malicious file which appears to contain results relating to their search. If downloaded and opened, the user’s device is compromised and further malware may be downloaded, possibly leading to further compromise of the network that the device is joined to. NCSC believes Gootloader to be a prevalent strain of malware and a strong indicator the pre ransomware activity could imminently follow, once an organisation’s IT infrastructure has become infected.
Mandiant specialises in cyber threat intelligence and has produced a report that tracks the evolution of Gootloader. The report also contains steps to take to identify whether your IT estate has been infected by Gootloader. See: Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations.
NCSC has produced guidance on steps to take to help you to defend your organisation against malware or ransomware incidents, see: Mitigating malware and ransomware attacks.
If your organisation has already been infected with malware, these steps may help limit the impact. See: Mitigating malware and ransomware attacks.
NCSC also provides a free service called Early Warning System; this will notify organisations of various threats against their networks to allow for early detection and mitigation - see below for further details.
Experts challenge myths around reporting cyber attacks to help break cycle of crime
The six ‘myths’ which the NCSC and the ICO (Information Commissioners Office) have identified as commonly held by organisations that have fallen victim to cyber incidents are:
- If I cover up the attack, everything will be OK.
- Reporting to the authorities makes it more likely your incident will go public.
- Paying a ransom makes the incident go away.
- I’ve got good offline backups, I won’t need to pay a ransom
- If there is no evidence of data theft, you don’t need to report to the ICO.
- You’ll only get a fine if your data is leaked.
Read more about these myths in the full blog, 'Experts challenge myths around reporting cyber attacks to help break cycle of crime'.
Early-warning service
The NCSC provides a free service to organisations to inform them of threats against their networks. This service processes a number of UK-focused threat intelligence feeds from trusted public, commercial and closed sources, which includes several privileged feeds not available elsewhere, and notifies organisations of events such as:
- incident notifications
- network abuse events
- vulnerability alerts.
Find out more about the service and to register your organisation with Early Warning now.