Source : https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector
The NCSC has been investigating an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges and universities.
This alert details recent trends observed in ransomware attacks on the UK education sector. It also provides mitigation advice to help protect this sector from attack.
This alert is designed to be read by those responsible for IT and Data Protection at education establishments within the UK. Where these services are outsourced, you should discuss this alert with your IT providers.
Since August 2020, the NCSC has been investigating an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges and universities.
Due to the prevalence of these attacks, you should be sure to follow NCSC’s recently updated mitigating malware and ransomware guidance. This will help you put in place a strategy to defend against ransomware attacks, as well as planning and rehearsing ransomware scenarios, in the event that your defences are breached.
Ransomware is a type of malware that prevents you from accessing your systems or the data held on them. Typically, the data is encrypted, but it may also be deleted or stolen, or the computer itself may be made inaccessible.
Following the initial attack, those responsible will usually send a ransom note demanding payment to recover the data. They will typically use an anonymous email address (for example ProtonMail) to make contact and will request payment in the form of a crypto currency.
More recently, there has been a trend for cyber criminals to also threaten to release sensitive data stolen from the network during the attack, if the ransom is not paid. There are many high-profile cases where the cyber criminals have followed through with their threats by releasing sensitive data to the public, often via “name and shame” websites on the darknet.
Ransomware attacks can have a devastating impact on organisations, with victims requiring a significant amount of recovery time to re-enable critical services. These events can also be high profile in nature, with wide public and media interest.
Ransomware attackers can gain access to a victim’s network through a number of infection vectors. Indeed, it can be hard to predict how a compromise will begin, as cyber criminals adjust their attack strategy depending on the vulnerabilities they find. However, in recent incidents, the NCSC has observed the following trends:
Upon initial access to a network, an attacker will attempt to move around the network and to increase their privileges and seek out high-value systems, often using additional tooling to assist with this. They will also attempt to cover their tracks so that any subsequent investigation will be more difficult.
Recently, attackers have also been seen to:
The NCSC recommends that organisations implement a ‘defence in depth’ strategy to defend against malware and ransomware attacks. This section lists a number of important defences practices and techniques.
Your organisation should also have an incident response plan, which includes a scenario for a ransomware attack, and this should be exercised.
This report draws on information derived from the NCSC based on our observations of this activity as well as partners and victim organisations. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks, and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.