National Cyber Security Centre
Alert: Further ransomware attacks on the UK education sector by cyber criminals
The NCSC is responding to further ransomware attacks on the education sector by cyber criminals.
This NCSC alert has been updated with additional information and advice following further ransomware attacks on the UK education sector during May and June 2021.
The alert was first issued on 17 September 2020 and previously updated on 23 March 2021.
The NCSC has previously highlighted an increase in ransomware attacks on the UK education sector during August/September 2020 and again in February 2021.
As of late May/June 2021, the NCSC is investigating another increase in ransomware attacks against schools, colleges and universities in the UK.
This recent campaign emphasises again the need for organisations in the sector to protect their networks to prevent ransomware attacks. The NCSC urges all organisations to follow our guidance on ‘Mitigating malware and ransomware.’ This advice was updated in March 2021 and details a number of steps organisations can take to disrupt ransomware attack vectors and enable effective recovery from ransomware attacks.
The NCSC is also encouraging organisations in the sector to sign up to our Early Warning service. This free NCSC service uses a range of information feeds to notify organisations of malicious activity on submitted domains and IPs. More information, including how to sign up, is on our website at ncsc.gov.uk/earlywarning
The NCSC has produced a number of practical resources to help schools and other educational institutions improve their cyber security.
The NCSC continues to respond to an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges, and universities.
This report details recent trends observed in ransomware attacks on the UK education sector. This encompasses trends observed during August and September 2020, as well as the more recent attacks since February 2021. It also provides mitigation advice to help protect this sector from attack.
This alert is designed to be read by those responsible for IT and Data Protection at education establishments within the UK. Where these services are outsourced, you should discuss this Alert with your IT providers.
It is also important that senior leaders understand the nature of the threat and the potential for ransomware to cause considerable damage to their institutions in terms of lost data and access to critical services.
Due to the prevalence of these attacks, you should be sure to follow NCSC’s mitigating malware and ransomware guidance. This will help you put in place a strategy to defend against ransomware attacks, as well as planning and rehearsing ransomware scenarios, in the event that your defences are breached.
Ransomware is a type of malware that prevents you from accessing your systems or the data held on them. Typically, the data is encrypted, but it may also be deleted or stolen, or the computer itself may be made inaccessible.
Following the initial attack, those responsible will usually send a ransom note demanding payment to recover the data. They will typically use an anonymous email address (for example ProtonMail) to make contact and will request payment in the form of a crypto currency.
More recently, there has been a trend for cyber criminals to also threaten to release sensitive data stolen from the network during the attack, if the ransom is not paid. There are many high-profile cases where the cyber criminals have followed through with their threats by releasing sensitive data to the public, often via “name and shame” websites on the darknet.
Ransomware attacks can have a devastating impact on organisations, with victims requiring a significant amount of recovery time to reinstate critical services. These events can also be high profile in nature, with wide public and media interest.
In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing.
It is therefore vital that organisations have up-to-date and tested offline backups.
Common ransomware infection vectors
Ransomware attackers can gain access to a victim’s network through a number of infection vectors. Indeed, it can be hard to predict how a compromise will begin, as cyber criminals adjust their attack strategy depending on the vulnerabilities they identify. However, in recent incidents, the NCSC has observed the following trends:
Attackers frequently target organisations’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN). They regularly exploit:
- weak passwords,
- lack of multi-factor authentication (MFA),
- unpatched vulnerabilities in software.
Remote Desktop Protocol (RDP) remains the most common attack vector used by threat actors to gain access to networks. RDP is one of the main protocols used for remote desktop sessions, enabling employees to access their office desktop computers or servers from another device over the internet. Insecure RDP configurations are frequently used by ransomware attackers to gain initial access to victims’ devices.
Often the attacker has previous knowledge of user credentials, through phishing attacks, from data breaches or credential harvesting. User credentials have also been discovered through brute force attacks because of ineffective password policies. Compromised credentials and remote access are frequently sold by cyber criminals on criminal marketplaces and forums on the dark web.
VPN vulnerabilities: Since 2019, multiple vulnerabilities have been disclosed in a number of VPN appliances (for example Citrix, Fortinet, Pulse Secure and Palo Alto). Ransomware actors exploit these vulnerabilities to gain initial access to targeted networks.
The shift towards remote learning over the past year has meant that many organisations have rapidly deployed new networks, including VPNs and related IT infrastructure. Cyber criminals continue to take advantage of the vulnerabilities in remote access systems.
Phishing emails are frequently used by actors to deploy ransomware. These emails encourage users to open a malicious file or click on a malicious link that hosts the malware.
Other vulnerable software or hardware
Unpatched or unsecure devices have commonly been used by ransomware attackers as an easy route into networks. For example, on 11 March 2021 Microsoft reported that cyber criminals have exploited vulnerabilities in Microsoft Exchange Servers to install ransomware on a network.
Lateral movement and privilege escalation
Having acquired initial access to a network, an attacker will typically seek to navigate around the network, increase their privileges and identify high-value systems, often using additional tooling (such as Mimikatz, PsExec, and Cobalt Strike) to assist with this. They may also attempt to conceal their actions so that any subsequent investigation will be more difficult.
Recently we have also observed attackers seeking to:
- sabotage backup or auditing devices to make recovery more difficult,
- encrypt entire virtual servers,
- use scripting environments (e.g. PowerShell) to easily deploy tooling or ransomware.
The NCSC recommends that organisations implement a ‘defence in depth’ strategy to defend against malware and ransomware attacks. This section lists a number of important defence practices and techniques.
Your organisation should also have an incident response plan, which includes a scenario for a ransomware attack, and this should be exercised. Further details can be found in the NCSC’s recently updated guidance on ‘Mitigating Malware and Ransomware’.
Disrupting ransomware attack vectors
Enable effective recovery
Practical resources to help schools
Latest News from
National Cyber Security Centre
Top of the class: Schools awarded by experts for high quality cyber teaching20/09/2021 12:20:00
Sixteen schools and colleges achieve recognition from the NCSC for excellence in cyber security education.
UK and US cyber security leaders meet to discuss shared threats and opportunities13/09/2021 11:15:00
National Cyber Security Centre CEO and Director of the US Cybersecurity and Infrastructure Security Agency meet in London.
Record number of teenagers sign up to develop cyber skills over summer26/08/2021 16:20:00
Participation at all-time high for CyberFirst summer courses, led by the National Cyber Security Centre (NCSC).
Email innovation simplifies takedown of cyber scams12/08/2021 14:15:00
Scam emails can be sent directly to SERS via a new button organisations can add to their Microsoft Office 365 accounts.
Tech startups join UK cyber experts to address security challenges11/08/2021 09:15:00
The first companies to work with the NCSC for Startups initiative have been selected.
Public can now report scam websites direct to the NCSC10/08/2021 11:15:00
A new reporting tool has been made available for the general public who come across scam websites.
NCSC lifts lid on three random words password logic09/08/2021 11:15:00
Cyber security experts recently (Friday) revealed in depth for the first time the logic behind their advice to use three random words when creating passwords.
UK and allies publish advice to fix global cyber vulnerabilities28/07/2021 15:25:00
A joint advisory from international allies has offered advice for the most publicly known software vulnerabilities.