A number of schools have recently been victims of cyber attacks, some of whom we have been working with to determine the extent of the data breaches. 

The current attacks seem to be directed at secondary schools causingsome to close for a week or work on reduced hours, while systems and data are recovered. Holidays and weekends are the main times for cyber criminals to attack because they can go undetected for a number of days.

1. West Oaks School in Leeds was attacked in August by the LockBit ransomware group, potentially the world's most prolific cybercrime organisation - its focus was extorting the school for data for children with special educational needs.  The attack took place in July.  Further information about how the LockBit ransomware can infiltrate systems is here: CISA Understanding Ransomware Threat Actors: LockBit.  Schools often use Microsoft Remote Desktop Service, TeamViewer, Fortinet VPN, SMB Shares and Papercut which all have vulnerabilities exploited by this group.
2. Debenham High School in Suffolk, a private Church of England secondary school was attacked at the start of the Autumn term.  BBC Report: Denham High School IT system hit by cyber attack.
3. St. Augustine Academy in Kent (part of Woodard Academies Trust) was attacked at the start of this term, with pupil and parental data encrypted.  The IT systems were down and included the school telephone lines and email.  Message from the head teacher: Message for parents. BBC Report: Secondary School hit by cyber attack.
4. Maiden Erlegh Trust in Berkshire told Bracknell News on September 5th that they were the victim of a sophisticated cyber attack.  Full report: Bracknell News.
5. Highgate Wood School in London was reported as having a cyber attack at the start of term.  BBC Report: Highgate Wood School closed following cyber attack.

Sky news reported that the NCSC has previously warned of an increase in ransomware attacks affecting the education sector. A Department for Education spokesperson said education providers are responsible "for ensuring they are aware of cybersecurity risks" and "putting the appropriate measures in place". This includes data backups and response plans for when an incident may occur.  Full Sky News Report: Schools warned of cyberattack as new year begins

Malwarebytes reports on the state of ransomware in education with an 84% increase over a 6 month period.

The NCSC has today published :Experts reveal latest insights into world of cyber criminals.  The report talks about the ransomware business model is seen most frequently as 'ransomware as a service'.  In this model, ransomware groups typically provide a web portal to enable affiliates/customers to customise their ransomware and obtain new builds with unique encryption keys per customer.  Many include a communications platform to make the ransom negotiation easier and more anonymous for the affiliate. Most ransomware will also include features to delete local backups to hinder recovery. Other features of the service include access to data leak sites, where affiliates can publish stolen data as an added incentive for victims to pay.

RaaS groups are often aware of western laws and regulations and use that knowledge to shape their criminal activity. Data leak sites became popular in the hope of pressuring victims that could face large fines under laws such as UK GDPR and the Data Protection Act 2018. While the threat of leaking sensitive data (whether intellectual property or personal data) often carries real weight with victims, the victim can be liable for not protecting the data, regardless of whether it becomes public on the leak site.

File on 4: Held to Ransom is a series of interviews with a Trust that suffered a cybercrime that affected 50 schools.

The DPE Knowledge Bank provides help and guidance for schools : Information and Cyber Security Best Practice Area.
Data Protection Education has published a series of articles to help with cyber security, cyber resilience and to raise awareness:

Information and Cyber Security News

Sources of information:

Research by London Grid for Learning and the NCSC.
The Record: Cybercriminals target UK school.
Cyber Management Alliance.

How to Report a Cyber Attack

Tell someone!  Report to IT. Report to SLT. 

Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.

If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss.  Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.

Government Cyber Incident Reporting Service: https://signpost-cyber-incident.service.gov.uk/

Isolate the infected device and pass to IT 

Always ensure there are backups you can restore from.

Little Guide to ACTION FRAUD

Remember – ‘Hackers don’t break in they login’!