The @NCSC is responding to further targeted ransomware attacks on the education sector by cyber criminals.

Since late February 2021, an increased number of ransomware attacks have affected education establishments in the UK, including schools, colleges and universities.

The NCSC previously acknowledged an increase in ransomware attacks on the UK education sector during August and September 2020. The NCSC has therefore updated this Alert in line with the latest activity.

The NCSC urges all organisations to follow our guidance on ‘Mitigating malware and ransomware.’ This details a number of steps organisations can take to disrupt ransomware attack vectors and enable effective recovery from ransomware attacks.

The NCSC continues to respond to an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges, and universities.

This report details recent trends observed in ransomware attacks on the UK education sector. This encompasses trends observed during August and September 2020, as well as the more recent attacks since February 2021. It also provides mitigation advice to help protect this sector from attack.

This alert is designed to be read by those responsible for IT and Data Protection at education establishments within the UK. Where these services are outsourced, you should discuss this Alert with your IT providers.

It is also important that senior leaders understand the nature of the threat and the potential for ransomware to cause considerable damage to their institutions in terms of lost data and access to critical services

Due to the prevalence of these attacks, you should be sure to follow NCSC’s mitigating malware and ransomware guidance. This will help you put in place a strategy to defend against ransomware attacks, as well as planning and rehearsing ransomware scenarios, in the event that your defences are breached.


Ransomware

Ransomware is a type of malware that prevents you from accessing your systems or the data held on them. Typically, the data is encrypted, but it may also be deleted or stolen, or the computer itself may be made inaccessible.

Following the initial attack, those responsible will usually send a ransom note demanding payment to recover the data. They will typically use an anonymous email address (for example ProtonMail) to make contact and will request payment in the form of a crypto currency.

More recently, there has been a trend for cyber criminals to also threaten to release sensitive data stolen from the network during the attack, if the ransom is not paid. There are many high-profile cases where the cyber criminals have followed through with their threats by releasing sensitive data to the public, often via “name and shame” websites on the darknet.

Ransomware attacks can have a devastating impact on organisations, with victims requiring a significant amount of recovery time to re-enable critical services. These events can also be high profile in nature, with wide public and media interest.

In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing.


Impact

Ransomware attacks can have a devastating impact on organisations, with victims requiring a significant amount of recovery time to reinstate critical services. These events can also be high profile in nature, with wide public and media interest.

In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing.

It is therefore vital that organisations have up-to-date and tested offline backups.

For further information see the NCSC’s Offline backups in an online world blog post as well as the NCSC’s guidance on backing up your data)


Common ransomware infection vectors

Ransomware attackers can gain access to a victim’s network through a number of infection vectors. Indeed, it can be hard to predict how a compromise will begin, as cyber criminals adjust their attack strategy depending on the vulnerabilities they identify. However, in recent incidents, the NCSC has observed the following trends:

Remote access

Attackers frequently target organisations’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN). They regularly exploit:

  • weak passwords,
  • lack of multi-factor authentication (MFA),
  • unpatched vulnerabilities in software.

Remote Desktop Protocol (RDP) remains the most common attack vector used by threat actors to gain access to networks. RDP is one of the main protocols used for remote desktop sessions, enabling employees to access their office desktop computers or servers from another device over the internet. Insecure RDP configurations are frequently used by ransomware attackers to gain initial access to victims’ devices.

Often the attacker has previous knowledge of user credentials, through phishing attacks, from data breaches or credential harvesting. User credentials have also been discovered through brute force attacks because of ineffective password policies. Compromised credentials and remote access are frequently sold by cyber criminals on criminal marketplaces and forums on the dark web.

VPN vulnerabilities: Since 2019, multiple vulnerabilities have been disclosed in a number of VPN appliances (for example CitrixFortinetPulse Secure and Palo Alto). Ransomware actors exploit these vulnerabilities to gain initial access to targeted networks.

The shift towards remote learning over the past year has meant that many organisations have rapidly deployed new networks, including VPNs and related IT infrastructure. Cyber criminals continue to take advantage of the vulnerabilities in remote access systems.

Phishing

Phishing emails are frequently used by actors to deploy ransomware. These emails encourage users to open a malicious file or click on a malicious link that hosts the malware.

Other vulnerable software or hardware

Unpatched or unsecure devices have commonly been used by ransomware attackers as an easy route into networks. For example, on 11 March 2021 Microsoft reported that cyber criminals have exploited vulnerabilities in Microsoft Exchange Servers to install ransomware on a network.


Lateral movement and privilege escalation

Having acquired initial access to a network, an attacker will typically seek to navigate around the network, increase their privileges and identify high-value systems, often using additional tooling (such as Mimikatz, PsExec, and Cobalt Strike) to assist with this. They may also attempt to conceal their actions so that any subsequent investigation will be more difficult.

Recently we have also observed attackers seeking to:

  • sabotage backup or auditing devices to make recovery more difficult,
  • encrypt entire virtual servers,
  • use scripting environments (e.g. PowerShell) to easily deploy tooling or ransomware.


Mitigation

The NCSC recommends that organisations implement a ‘defence in depth’ strategy to defend against malware and ransomware attacks. This section lists a number of important defence practices and techniques.

Your organisation should also have an incident response plan, which includes a scenario for a ransomware attack, and this should be exercised. Further details can be found in the NCSC’s recently updated guidance on ‘Mitigating Malware and Ransomware’.


Cyber security alert issued following rising attacks on UK academia 

The NCSC issued (17 September 2020) an alert to the academic sector following a spate of online attacks against UK schools, colleges and universities.

Cyber security experts have stepped up support for UK schools, colleges, and universities following a spate of online attacks with the potential to de-rail their preparations for the new term.

The National Cyber Security Centre (NCSC) issued an alert to the sector containing a number of steps they can take to keep cyber criminals out of their networks, following a recent spike in ransomware attacks.

The NCSC dealt with several ransomware attacks against education establishments in August, which caused varying levels of disruption, depending on the level of security establishments had in place.

Ransomware attacks typically involve the encryption of an organisation’s data by cyber criminals, who then demand money in exchange for its recovery.

With institutions either welcoming pupils and students back for a new term, or preparing to do so, the NCSC’s alert urges them to take immediate steps such as ensuring data is backed up and also stored on copies offline.

They are also urged to read the NCSC’s newly-updated guidance on mitigating malware and ransomware attacks, and to develop an incident response plan which they regularly test.

Paul Chichester, Director of Operations at the NCSC, said:

“This criminal targeting of the education sector, particularly at such a challenging time, is utterly reprehensible.

“While these have been isolated incidents, I would strongly urge all academic institutions to take heed of our alert and put in place the steps we suggest, to help ensure young people are able to return to education undisrupted.

“We are absolutely committed to ensuring UK academia is as safe as possible from cyber threats, and will not hesitate to act when that threat evolves.”

The new alert, Targeted ransomware attacks on the UK education sector by cyber criminals, supplements existing support that the NCSC, which is a part of GCHQ, provides academic institutions across the UK.

Examples of this include advice on the questions governing bodies and trustees should ask school leaders to improve a school’s understanding of cyber security risks, and the distribution of information cards which help staff understand how they can raise their school’s resilience to attack.

David Corke 100x100David Corke, Director of Education and Skills Policy at the Association of Colleges, said:

“As the last six months have shown us, it has never been more important for colleges to have the right digital infrastructure in order to be able to protect their systems and keep learning happening, whatever the circumstance.

“This needs a whole college approach and for a focus wider than just systems, it needs to include supporting leaders, teachers and students to recognise threats, mitigate against them, and act decisively when something goes wrong.

“This guidance will prove incredibly useful for colleges to ensure that they can do just that.”

steve kennett 100x100Steve Kennett, Executive Director of e-infrastructure at the higher education support body Jisc, said:

“Jisc welcome the NCSC support in dealing with the current spate of ransomware impacting the UK Education and Research community.

“We encourage everyone to review the latest guidance from the NCSC and take the time to assess the risks to their organisation.”

Institutions that have been infected with ransomware have seen their ability to operate effectively and deliver services significantly obstructed and, depending on an organisation’s level of resilience, it can take weeks – and in some cases months - for services to return to normal.

Often the aim of cyber criminals deploying ransomware is to encrypt data that will have the most impact on an organisation’s services. This can affect access to computer networks as well as services including telephone systems and websites.

The NCSC has recently updated its ransomware and malware guidance, which is generally applicable to organisations in all industries in the UK. Additions to this include updated information on attackers’ modus operandi and advice on preparing for an incident.

Recent research reveals that half of UK universities reported a breach to the ICO in the last 12 months – revealed by an FOI campaign from Redscan in July 2020. The FOI also revealed that a quarter of universities haven’t commissioned a pen test from an external provider in the last year, while only 54% of university staff nationwide have received security training.

Redscan CTO, Mark Nicholls, said:

“UK universities are among the most well-respected learning and research centres globally, yet our analysis highlights inconsistencies in the approach institutions are taking to protect their staff, students and intellectual property against the latest cyber threats.

“The fact that such a large number of universities don’t deliver cyber security training to staff and students, nor commission independent penetration testing, is concerning. These are foundational elements of every security program and key to helping prevent data breaches.

“Even at this time of intense budgetary pressure, institutions need to ensure that their cyber security teams receive the support they need to defend against sophisticated adversaries. Breaches have the potential to seriously impact organisations’ reputation and funding.”

“The threat posed to universities by nation state attackers makes the need for improvements even more critical. The cost of failing to protect scientific research is immeasurable.”

Andy Warren, UK&I Director, Public Sector, at Veritas Technologies, said:

“2020 has shown us that when it comes to ransomware attacks, it is a matter of if, not when. With many students relying on virtual lectures, downtime caused by ransomware will have a massive impact on their education and on Universities ability to provide the services they charge for. And this is to say nothing about data compliance."

“Breaches can do some serious, long-lasting damage. The best defence against this constantly evolving threat is a comprehensive approach to data security involving staff and student education, intrusion security, email and spam filters, antimalware, endpoint protection software and backups. Data is arguably the single most precious asset to a university but, to keep it safe, you need a strong foundation of management and best practice.

“If a robust data protection solution is in place and hackers demand ransom, universities can walk away from the criminal's threats safe in the knowledge that they have alternative copies of their data stored safely elsewhere.”

Luke Budka, head of digital PR and SEO at TopLine Comms, the agency that submitted the requests, says:

“The recent revelation that hackers extorted $1.14m from the University of California prompted us to submit request to UK universities asking for details on ransomware attacks and ransom amounts paid. We were naturally most interested in Russell Group universities as their research focus suggests they’ve got the most valuable intellectual property.

“Of the 18 Russell Group universities that responded, all but three refused to answer the questions submitted. The University of Manchester admitted it had been attacked but said it didn’t record when; The University of Sheffield was attacked in 2015 and The University of Edinburgh stated it had not been attacked in the last ten years.”

One third of UK universities have been subjected to ransomware attacks according to Freedom of Information requests submitted to 134 universities in July 2020.

Of the 105 universities that responded, 35 universities admitted to being attacked (33%), 25 universities said they hadn’t been (24%) and 43 universities refused to answer (45%) – full list can be accessed here.

Refusals typically centred around the universities’ concerns that admission of attack would encourage further misdemeanours (typically citing 31.1.a of the FOIA – ‘the prevention or detection of crime’). They stated that no inference as to whether they’d be attacked or not, should be drawn from the refusal that the information requested does or does not exist.

Certain universities, including the University of Oxford, felt that their profiles made them more likely to be attacked. Oxford notes: “…launching a successful attack would then be regarded in criminal circles as a noteworthy achievement, particularly in view of Oxford’s high public profile.”   

Of all the 35 universities that admitted they were attacked, 34 confirmed they did not pay ransoms. The remaining university, Liverpool John Moores, refused to reveal whether it’d paid a ransom or not.

The majority of incidents happened in 2015 (31% of incidents), 2016 (34%) and 2017 (23%).

With most universities reporting isolated incidents, Sheffield Hallam University and City, University of London stood out, reporting 42 attacks since 2013, and seven attacks since 2014, respectively. 

You may also be interested in these articles:

Sponsored Video

#SkillsWorldLive Video: Why is it important to have diversity in apprenticeships?

Register, Login or Login with your Social Media account:


Advertisers

Upcoming FE Events

Advertiser Skyscrapers

Latest Education News

Further Education News

The FE News Channel gives you the latest education news and updates on emerging education strategies and the #FutureofEducation and the #FutureofWork.

Providing trustworthy and positive Further Education news and views since 2003, we are a digital news channel with a mixture of written word articles, podcasts and videos. Our specialisation is providing you with a mixture of the latest education news, our stance is always positive, sector building and sharing different perspectives and views from thought leaders, to provide you with a think tank of new ideas and solutions to bring the education sector together and come up with new innovative solutions and ideas.

FE News publish exclusive peer to peer thought leadership articles from our feature writers, as well as user generated content across our network of over 3000 Newsrooms, offering multiple sources of the latest education news across the Education and Employability sectors.

FE News also broadcast live events, podcasts with leading experts and thought leaders, webinars, video interviews and Further Education news bulletins so you receive the latest developments in Skills News and across the Apprenticeship, Further Education and Employability sectors.

Every week FE News has over 200 articles and new pieces of content per week. We are a news channel providing the latest Further Education News, giving insight from multiple sources on the latest education policy developments, latest strategies, through to our thought leaders who provide blue sky thinking strategy, best practice and innovation to help look into the future developments for education and the future of work.

In Jan 2021, FE News had over 173,000 unique visitors according to Google Analytics and over 200 new pieces of news content every week, from thought leadership articles, to the latest education news via written word, podcasts, video to press releases from across the sector, putting us in the top 2,000 websites in the UK.

We thought it would be helpful to explain how we tier our latest education news content and how you can get involved and understand how you can read the latest daily Further Education news and how we structure our FE Week of content:

Main Features

Our main features are exclusive and are thought leadership articles and blue sky thinking with experts writing peer to peer news articles about the future of education and the future of work. The focus is solution led thought leadership, sharing best practice, innovation and emerging strategy. These are often articles about the future of education and the future of work, they often then create future education news articles. We limit our main features to a maximum of 20 per week, as they are often about new concepts and new thought processes. Our main features are also exclusive articles responding to the latest education news, maybe an insight from an expert into a policy announcement or response to an education think tank report or a white paper.

FE Voices

FE Voices was originally set up as a section on FE News to give a voice back to the sector. As we now have over 3,000 newsrooms and contributors, FE Voices are usually thought leadership articles, they don’t necessarily have to be exclusive, but usually are, they are slightly shorter than Main Features. FE Voices can include more mixed media with the Further Education News articles, such as embedded podcasts and videos. Our sector response articles asking for different comments and opinions to education policy announcements or responding to a report of white paper are usually held in the FE Voices section. If we have a live podcast in an evening or a radio show such as SkillsWorldLive radio show, the next morning we place the FE podcast recording in the FE Voices section.

Sector News

In sector news we have a blend of content from Press Releases, education resources, reports, education research, white papers from a range of contributors. We have a lot of positive education news articles from colleges, awarding organisations and Apprenticeship Training Providers, press releases from DfE to Think Tanks giving the overview of a report, through to helpful resources to help you with delivering education strategies to your learners and students.

Podcasts

We have a range of education podcasts on FE News, from hour long full production FE podcasts such as SkillsWorldLive in conjunction with the Federation of Awarding Bodies, to weekly podcasts from experts and thought leaders, providing advice and guidance to leaders. FE News also record podcasts at conferences and events, giving you one on one podcasts with education and skills experts on the latest strategies and developments.

We have over 150 education podcasts on FE News, ranging from EdTech podcasts with experts discussing Education 4.0 and how technology is complimenting and transforming education, to podcasts with experts discussing education research, the future of work, how to develop skills systems for jobs of the future to interviews with the Apprenticeship and Skills Minister.

We record our own exclusive FE News podcasts, work in conjunction with sector partners such as FAB to create weekly podcasts and daily education podcasts, through to working with sector leaders creating exclusive education news podcasts.

Education Video Interviews

FE News have over 700 FE Video interviews and have been recording education video interviews with experts for over 12 years. These are usually vox pop video interviews with experts across education and work, discussing blue sky thinking ideas and views about the future of education and work.

Events

FE News has a free events calendar to check out the latest conferences, webinars and events to keep up to date with the latest education news and strategies.

FE Newsrooms

The FE Newsroom is home to your content if you are a FE News contributor. It also help the audience develop relationship with either you as an individual or your organisation as they can click through and ‘box set’ consume all of your previous thought leadership articles, latest education news press releases, videos and education podcasts.

Do you want to contribute, share your ideas or vision or share a press release?

If you want to write a thought leadership article, share your ideas and vision for the future of education or the future of work, write a press release sharing the latest education news or contribute to a podcast, first of all you need to set up a FE Newsroom login (which is free): once the team have approved your newsroom (all content, newsrooms are all approved by a member of the FE News team- no robots are used in this process!), you can then start adding content (again all articles, videos and podcasts are all approved by the FE News editorial team before they go live on FE News). As all newsrooms and content are approved by the FE News team, there will be a slight delay on the team being able to review and approve content.

 RSS IconRSS Feed Selection Page