Education is one of the sectors targeted most frequently by ransomware. What is it, and how can schools deal with it?
Government research shows that the number of education establishments experiencing cyber attacks is increasing, in contrast to a reduction in the number of businesses. Shrinking IT budgets and the multiple ways ransomware can infiltrate schools can make this a daunting issue to address. So, what can schools do to mitigate the inevitability of an attack?
What is ransomware?
The word ransomware is a compound noun which refers to its two elements. It is software that has a nefarious purpose, otherwise known as malware. It encrypts devices and files to prevent access by users. And then the ransom part kicks in. The criminal gang that planted the ransomware on the system will demand payment to decrypt the files or devices. They may also threaten to leak the data or sell it to other criminal actors.
What happens if you fall victim to ransomware?
A ransomware attack generally has three stages – attack, activation and ransom demand. In the attack stage, the criminals gain access to your systems and install the malware. At the activation point, the malware is triggered to encrypt data and lock users out of devices. These stages can happen days, weeks or even months apart. Once attackers access a network, they can spend time seeking out how to inflict the most damage before activating the ransomware.
In the final stage, the criminals send the ransom demand, usually with a deadline for payment. Often, the form of payment demanded will be a cryptocurrency such as Bitcoin.
How can you reduce the impact of a ransomware attack?
Multiple data backups, including off-site in secure cloud storage, are crucial. The backup software should scan the backup files for malware, which should be stored immutably in the cloud. This prevents the backup from being infected and guarantees the recovery of clean data.
Your attitude should be that you will need to recover your data from some kind of breach. And that the ransomware will compromise any data connected to your live system at the time of the attack, including the backup you plan to restore from. Anything less gives a false sense of security. If at least one backup is offline at any given time, that copy will remain unaffected by any issues with your live system.
Data backup is the only dependable way of recovery from virus infection, accidental or deliberate file deletion and any data tampering. Implementing the right backup solution will provide a sound foundation to recover from cyber threats.
How can you prevent ransomware attacks?
Most ransomware attacks start with a seemingly innocent action from someone within the organisation. Clicking a link within an email or opening an attachment can be the trigger. Making staff aware of the techniques used by cyber criminals and able to spot phishing attempts when they appear, is vital to protecting schools. Your staff are among your best defence. By providing staff training, schools can insulate themselves against the bulk of phishing attempts which proliferate ransomware. Resources from the National Cyber Security Centre’s website provide free training materials to schools to support this type of training.
Protecting devices on your network with endpoint security protection will also help prevent malware infection. Protection should be capable of identifying ransomware attempts and automatically quarantining any malware which has managed to get into your systems. While some protection is better than having none at all, you should check that your anti-virus protection applies to all your devices and provides the type of cover schools and trusts need. Endpoint protection with Extended Detect and Response (XDR) provides comprehensive protection across cloud, email clients and other applications.
What to do if you are attacked
Government agencies such as the National Cyber Security Centre discourage paying ransomware demands. Paying a ransom does not guarantee that your data will become available again, nor that it won't already have been sold on the dark web. By paying, you will also have set a precedent as a useful target for future attacks.
If your school or trust uses the DfE's Risk Protection Arrangement, you should already have a cyber incident response plan. If you fall victim to an attack, implementing the response plan should be your first action. It’s likely that the plan will not cover every circumstance, but it will help you respond in a structured and calm fashion.
While it’s natural to wish to avoid broadcasting the fact that your school or trust is a victim of ransomware, you should report it to the NCSC via their website. This will help the NCSC ensure that its advice is up to date and may help others.
In conclusion, the three main considerations for protecting schools against the threat of ransomware are:
- making sure you can recover your data from the threat of ransomware.
- use the people within the school to provide the intelligence to spot and report threats coming in.
- protect the endpoints from infection and proliferation of malware by using a suitable and comprehensive endpoint protection solution.