Since August 2020, the National Cyber Security Centre has been investigating a growing number of ransomware attacks that are targeting schools, colleges and universities in the UK. Due to the prevalence of these attacks, it is imperative that educational institutions strengthen their defences and security posture to reduce the risk of being compromised.
Ransomware attacks have been a threat for organisations such as the NHS and multinational companies for a number of years, with many attacks being well publicised in the media. There is no denying that ransomware attacks are growing exponentially and they are becoming increasingly sophisticated, making them harder to detect and remediate.
The escalating number of ransomware attacks on educational institutions is a concern and one that schools, colleges and universities must take action against. In 2020, at least six universities in the UK paid a ransom to attackers who stole data from them, including the University of York, Leeds University and Oxford Brookes University.
There are only three ways to recover from a ransomware attack:
-
- Pay the ransom and hope to get a decryption key
-
- If sound backups are present, recover all data and all operations from your backups
-
- Wipe everything and start again from scratch
Paying the ransom does not always mean that a decryption key will be given and wiping everything and starting from scratch is rarely a viable option. The best option is recovering data and operations from backups, but these, of course, have to exist in the first place.
With a large number of access points from students and teachers accessing applications and systems from various geographical locations coupled with legacy software and hardware, and large amounts of personal data, it’s not surprising education establishments have become a target for cyber criminals.
An increase in remote working and learning, especially within universities has further impacted the problem as every student laptop represents a different potential attack vector. Increased security and implementing the right policies and procedures can help educational institutions strengthen their defences.
There are key actions education establishments should consider undertaking to protect against ransomware attacks. These include:
Offline Backups
Having an offline copy of backups is critical to protect against a ransomware attack. An offline copy is a solution that requires physical access and does not have an IP address. True offline and immutable copies of backups ensure that in the event of an attack, education establishments will have a high level of confidence that they can restore data and recover operations without having to pay a ransom.
It is crucial that an offline copy should not have a firewall in front of it or access controls imposed, as these can always be compromised, and will be compromised during an attack.
Monitoring
Sufficient monitoring can help detect if an education establishment has been compromised. The industry-standard protection to alert to an attack is a SOC / SIEM which usually works by either looking at logs or analysing the network traffic, this then flags suspicious actions such as a cyber attack taking place.
Without this type of functionality present, organisations may not know they are being attacked until the ransomware is deployed. Before deploying this ransomware, sophisticated attacking groups will profile networks and will generally have had access for a couple of months, so without a monitoring and alerting capacity their task of profiling your network and planning their attack is made much easier, resulting in a higher probability of a successful ransomware attack.
Response and Recovery
In the event of a ransomware attack, having a detailed and well understood incident response plan or forensic readiness plan is essential to adequately respond. After any cyber attack, such as a ransomware attack, communication is one of the hardest things to overcome.
Users will not have access to their laptops or email and may not have all phone numbers stored on their mobile phone, making it very hard to communicate with other people across the educational institution to plan your response and recovery.
This is even more of an issue during the COVID home working, where people are not in the same office. Therefore, a clear response plan will have predefined roles and responsibilities and everybody should know what they are required to do in the event of an attack.
As a cyber security solutions provider, MTI Technology offers full remediation services, policy creation, solution deployments and managed services to ensure any gaps in your protection are mitigated and you are in a position to robustly defend against these attacks.
Next Steps
The increased threat of ransomware attacks targeted at educational institutions has made it more important than ever for schools, colleges and universities to strengthen their defences to mitigate the risk of being compromised.
Even the largest global organisations can have gaps in their defences, and few conduct a comprehensive assessment to assess the defences they have in place, review if they are configured and implemented correctly and understand how they could be attacked with ransomware. Even fewer have the right processes and procedures in place to successfully overcome an attack quickly and effectively.
Our expertise and experience of penetration testing service, security products and solutions, and managed services, means MTI Technology are uniquely placed to conduct a comprehensive assessment of your defence and capabilities to provide recommendations on how your education establishment can strengthen its security posture and protect against ransomware attacks.
Get in touch to speak to one of our security experts to discuss your ransomware protection.