zephyr_p - stock.adobe.com

Ransomware attack on London schools highlights warnings

Ransomware attack on Harris Federation comes just days after a fresh NCSC alert for the education sector

A disruptive cyber attack on a “chain” of schools in London and the South East, which has left around 37,000 pupils unable to access email, has again highlighted the vulnerability of educational institutions to targeted ransomware attacks, coming just days after the UK’s National Cyber Security Centre (NCSC) warned of a spate of such incidents.

The Croydon-based Harris Federation, which runs 48 primary and secondary academies, uncovered the ransomware attack by an as-yet unnamed operator on Saturday 27 March.

The incident is thought to be the fourth such attack on a multi-academy trust this month.

In the wake of the attack, the organisation has temporarily disabled its email, while its VoIP telephone systems are also offline, with calls to school switchboards now being diverted to a temporary mobile number. In cases where pupils have devices procured through the organisation, these have been disabled at the time of writing are unusable.

Following what has become standard disclosure terminology, the Harris Federation described the attack as “highly sophisticated” and said it was having a “significant impact” on its schools. It has already brought in independent cyber forensics, the National Crime Agency (NCA), and the National Cyber Security Centre (NCSC)

“We know that some families will have important individual concerns around data and that in these cases you will want to know more about the nature of the attack,” said the trust in a statement.

“Because we do not want to risk providing incorrect information, we will communicate further once we have clarity and liaise as appropriate with the Information Commissioner’s Office [ICO].” 

Public sector protection

ImmuniWeb’s Ilia Kolochenko said the Harris Foundation’s misfortune highlighted the need for the UK government to do more to protect the public sector from ransomware.

“Government should urgently intervene with cyber training, financial and technical support in the UK educational sector,” said Kolochenko. “For example, when buying security software, a volume-discount for all schools in the UK could be huge and make even premium security products affordable.

“Importantly, cyber police units are also deprived of sufficient funding proportional to surging and sophisticated cyber crime. Law enforcement agencies require undelayed financial support to attract new professionals, align forensic capacities with modern cyber threats and perform educational support and awareness among future victims.”

BlackBerry EMEA vice-president Adam Bangle added: “To ensure the continuity of education, especially in the context of remote learning, we encourage the government to consider the impact on individuals’ well-being and ensure security, productivity and user experience. If these devices become infected with a virus or malware, they can expose sensitive personal information that students share during the learning process.

“This should be an alarm bell for the public sector, a demonstration of the need to secure each and every endpoint. Even the smallest chink in the nation’s digital armour could spell disaster.”

The NCSC’s updated guidance for the education sector – which was launched following a series of attacks on universities, can be accessed in full here.

It includes information on how ransomware operators penetrate their target networks and establish a beach-head before deploying their payload, as well as guidance on disrupting attack vectors, and enabling effective recovery without the need to engage with the attackers or pay a ransom, which is a response that is best avoided.

Read more about ransomware

  • Ransomware negotiators are brought in to communicate with cyber criminals and hopefully arrange less expensive payments. How often do they succeed?
  • A ransomware attack on cloud storage can have catastrophic effects. Cloud storage is still online, which means it is susceptible to some cyber attacks, so users must be careful.
  • Retailer FatFace paid out a $2m ransom to restore its data following a January 2021 cyber attack by the Conti ransomware syndicate.

NCSC operations director Paul Chichester said: “Any targeting of the education sector by cyber criminals is completely unacceptable. This is a growing threat and we strongly encourage schools, colleges and universities to act on our guidance and help ensure their students can continue their education uninterrupted.

“We are committed to ensuring the UK education sector is resilient against cyber threats, and have published practical resources to help establishments improve their cyber security and response to cyber incidents.”

Kolochenko said that since cyber criminals find ransomware to be highly profitable and virtually risk free – due attention paid to operational security and the use of cryptocurrencies makes such campaigns hard to track and investigate – they were likely to continue to operate with impunity.

“Cyber criminals are shrewd and pragmatic and will deliberately launch attacks on the most vulnerable victims including schools and colleges,” he said.

“Unlike large universities, which can afford spending considerable budgets on cyber security, primary schools often struggle to get budgets even for the very foundational security controls, let alone advance cyber defence solutions.

“Worse, such victims commonly have no choice but to pay the ransom from modest school funds, leaving no money for other activities.”

Next Steps

Ransomware Task Force takes aim at cryptocurrencies

Read more on Hackers and cybercrime prevention