National Cyber Security Centre
Alert: Further ransomware attacks on the UK education sector by cyber criminals
The NCSC is responding to further ransomware attacks on the education sector by cyber criminals.
This NCSC alert has been updated with additional information and advice following further ransomware attacks on the UK education sector during May and June 2021.
The alert was first issued on 17 September 2020 and previously updated on 23 March 2021.
The NCSC has previously highlighted an increase in ransomware attacks on the UK education sector during August/September 2020 and again in February 2021.
As of late May/June 2021, the NCSC is investigating another increase in ransomware attacks against schools, colleges and universities in the UK.
This recent campaign emphasises again the need for organisations in the sector to protect their networks to prevent ransomware attacks. The NCSC urges all organisations to follow our guidance on ‘Mitigating malware and ransomware.’ This advice was updated in March 2021 and details a number of steps organisations can take to disrupt ransomware attack vectors and enable effective recovery from ransomware attacks.
The NCSC is also encouraging organisations in the sector to sign up to our Early Warning service. This free NCSC service uses a range of information feeds to notify organisations of malicious activity on submitted domains and IPs. More information, including how to sign up, is on our website at ncsc.gov.uk/earlywarning
The NCSC has produced a number of practical resources to help schools and other educational institutions improve their cyber security.
The NCSC continues to respond to an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges, and universities.
This report details recent trends observed in ransomware attacks on the UK education sector. This encompasses trends observed during August and September 2020, as well as the more recent attacks since February 2021. It also provides mitigation advice to help protect this sector from attack.
This alert is designed to be read by those responsible for IT and Data Protection at education establishments within the UK. Where these services are outsourced, you should discuss this Alert with your IT providers.
It is also important that senior leaders understand the nature of the threat and the potential for ransomware to cause considerable damage to their institutions in terms of lost data and access to critical services.
Due to the prevalence of these attacks, you should be sure to follow NCSC’s mitigating malware and ransomware guidance. This will help you put in place a strategy to defend against ransomware attacks, as well as planning and rehearsing ransomware scenarios, in the event that your defences are breached.
Ransomware is a type of malware that prevents you from accessing your systems or the data held on them. Typically, the data is encrypted, but it may also be deleted or stolen, or the computer itself may be made inaccessible.
Following the initial attack, those responsible will usually send a ransom note demanding payment to recover the data. They will typically use an anonymous email address (for example ProtonMail) to make contact and will request payment in the form of a crypto currency.
More recently, there has been a trend for cyber criminals to also threaten to release sensitive data stolen from the network during the attack, if the ransom is not paid. There are many high-profile cases where the cyber criminals have followed through with their threats by releasing sensitive data to the public, often via “name and shame” websites on the darknet.
Ransomware attacks can have a devastating impact on organisations, with victims requiring a significant amount of recovery time to reinstate critical services. These events can also be high profile in nature, with wide public and media interest.
In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing.
It is therefore vital that organisations have up-to-date and tested offline backups.
Common ransomware infection vectors
Ransomware attackers can gain access to a victim’s network through a number of infection vectors. Indeed, it can be hard to predict how a compromise will begin, as cyber criminals adjust their attack strategy depending on the vulnerabilities they identify. However, in recent incidents, the NCSC has observed the following trends:
Attackers frequently target organisations’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN). They regularly exploit:
- weak passwords,
- lack of multi-factor authentication (MFA),
- unpatched vulnerabilities in software.
Remote Desktop Protocol (RDP) remains the most common attack vector used by threat actors to gain access to networks. RDP is one of the main protocols used for remote desktop sessions, enabling employees to access their office desktop computers or servers from another device over the internet. Insecure RDP configurations are frequently used by ransomware attackers to gain initial access to victims’ devices.
Often the attacker has previous knowledge of user credentials, through phishing attacks, from data breaches or credential harvesting. User credentials have also been discovered through brute force attacks because of ineffective password policies. Compromised credentials and remote access are frequently sold by cyber criminals on criminal marketplaces and forums on the dark web.
VPN vulnerabilities: Since 2019, multiple vulnerabilities have been disclosed in a number of VPN appliances (for example Citrix, Fortinet, Pulse Secure and Palo Alto). Ransomware actors exploit these vulnerabilities to gain initial access to targeted networks.
The shift towards remote learning over the past year has meant that many organisations have rapidly deployed new networks, including VPNs and related IT infrastructure. Cyber criminals continue to take advantage of the vulnerabilities in remote access systems.
Phishing emails are frequently used by actors to deploy ransomware. These emails encourage users to open a malicious file or click on a malicious link that hosts the malware.
Other vulnerable software or hardware
Unpatched or unsecure devices have commonly been used by ransomware attackers as an easy route into networks. For example, on 11 March 2021 Microsoft reported that cyber criminals have exploited vulnerabilities in Microsoft Exchange Servers to install ransomware on a network.
Lateral movement and privilege escalation
Having acquired initial access to a network, an attacker will typically seek to navigate around the network, increase their privileges and identify high-value systems, often using additional tooling (such as Mimikatz, PsExec, and Cobalt Strike) to assist with this. They may also attempt to conceal their actions so that any subsequent investigation will be more difficult.
Recently we have also observed attackers seeking to:
- sabotage backup or auditing devices to make recovery more difficult,
- encrypt entire virtual servers,
- use scripting environments (e.g. PowerShell) to easily deploy tooling or ransomware.
The NCSC recommends that organisations implement a ‘defence in depth’ strategy to defend against malware and ransomware attacks. This section lists a number of important defence practices and techniques.
Your organisation should also have an incident response plan, which includes a scenario for a ransomware attack, and this should be exercised. Further details can be found in the NCSC’s recently updated guidance on ‘Mitigating Malware and Ransomware’.
Disrupting ransomware attack vectors
Enable effective recovery
Practical resources to help schools
Latest News from
National Cyber Security Centre
NCSC launches online game to give children a head start with staying cyber secure25/05/2021 14:15:00
CyberSprinters, an educational cyber security game, has been launched by the NCSC.
Neurodiversity and disability to be captured in second survey on diversity of UK cyber sector14/05/2021 16:15:00
NCSC and KPMG UK launch second survey to help improve diversity in the cyber security industry.
New tool launched to support organisations achieve Cyber Essentials certification12/05/2021 16:05:00
Cyber Essentials Readiness Tool asks organisations questions related to the main Cyber Essentials criteria to help prepare them for certification.
British tech startups offered help to keep innovations secure12/05/2021 15:05:00
New guidance from the NCSC and the Centre for the Protection of National Infrastructure (CPNI) to help fledgling technical companies consider key questions around security.
Large UK organisations offered ten steps to stay ahead of cyber threat12/05/2021 10:15:00
Refreshed 10 Steps to Cyber Security guidance released for cyber security professionals in large and medium sized organisations.
Fifteen times more online scams stamped out as cyber experts moved to protect UK during pandemic10/05/2021 16:15:00
The fourth annual report on the NCSC’s Active Cyber Defence (ACD) programme is released.
Cyber experts set out blueprint to secure smart cities of the future10/05/2021 09:15:00
The NCSC has published a set of principles outlining how to securely design, manage and build smart cities.
New cyber security training package launched for charities and small businesses07/05/2021 11:15:00
Free e-learning package to support small organisations released.