by Jonathan Wharton-Street
The UK’s schools, colleges and universities are currently experiencing a surge in ransomware attacks, according to the National Cyber Security Centre (NCSC). While organisations in many verticals are being targeted by the same financially motivated threat actors, the education sector has arguably more to lose than most. With schools and unis playing catch-up after a year of lockdown disruption, they can ill-afford more set-backs due to digital extortion.
Fortunately, best practice security to help mitigate risk in this area needn’t be onerous. The NCSC and Trend Micro have a wealth of resources and capabilities to help protect your organisation.
A cautionary tale
If you’re still unsure whether reports of ransomware are more media hype than reality, look no further than the Skinners’ Kent Academy Trust. The Ofsted-rated “outstanding” academy and primary schools were forced to close after being hit by ransomware on June 2. By targeting on-premises servers at the Tunbridge Well-based schools, attackers encrypted student and staff emergency contact details, medical records, timetables and registers, making it impossible to keep the school open safely.
What’s more, attackers stole “a wealth of teaching resources” as well as school trip information, policies, HR files and a “significant” volume of staff data, and some student data including medical information. The trust was forced to ask parents to submit contact details, as these were also made inaccessible by the threat actors, and warned that their financial details may also have been taken.
It’s a classic example of how hard a ransomware attack can hit from out of nowhere. It could lead to lost teaching hours, student disruption, reputational damage and financial and fraud risks to name just a few.
Alongside the rise in Ransomware targeted attacks to the Education sector, Trend Micro has seen a dramatic rise of ransomware-related issues (34% more Ransomware families than last year), especially the sophisticated Crypto-Ransomware, and the most recent Conti Ransomware attacks. The issue concerns both students doing their course from home, and education organisations with domain and off-domain machines to manage. Like many other cyber threats, ransomware has become more complex and advanced over time. Thus, the prevention and protection become more challenging.
Ransomware can enter an organization through many vectors, such as email spam, phishing attacks, or malicious web downloads. For highest level of protection, organizations are encouraged to deploy multiple layers of protection on endpoint, gateway, and mail servers.
What the NCSC recommends
The NCSC report singled out several main attack vectors and techniques used by ransomware actors today. These include phishing emails, hijacking RDP endpoints protected by weak or previously breached passwords, and exploiting vulnerabilities in VPNs and other software. Attackers also use legitimate tooling to move laterally through networks once inside, in order to remain hidden, it warned.
So what can be done to mitigate these risks? At a bare minimum, school, college and university IT security teams should have in place:
- A well-designed, frequently tested incident response plan as described here
- Effective vulnerability management and patching programmes
- Secure RDP using multi-factor authentication (MFA)
- Anti-malware everywhere from a reputable provider
- Anti-phishing capabilities including staff and student awareness-raising programmes
- Disabled or restricted scripting environments and macros
- Up-to-date and tested offline back-ups (use the 3-2-1 rule)
The NCSC’s Exercise in a Box online tool can help education sector organisations test the effectiveness of their mitigations in a safe environment.
Trend Micro has decades of experience protecting education sector customers from the latest cyber-threats. We understand that there’s no one-size-fits-all in this vertical: running IT for a small countryside primary school is a world away from securing a large city-centre university. That’s why we’ve developed a range of tools to block threats across multiple IT layers and improve incident detection and response.
In our next blog, we will be exploring some of these tools as well as a set of best practices we recommend organisations in the education sector apply.