Cybersecurity, Emails, Ransomware and Schools
Sir John Colfox Academy is a secondary school in Bridport, Dorset in the UK. The school has 828 students, aged between 11 and 18.
Attack
On a fateful work day, much like any other, a staff member received an email. This was one of the hundreds of emails received on a weekly basis. This however claimed to be a colleague at another Dorset school. Not thinking a malicious person would have sent this, the staff member opened the email and clicked on the content on February 28, 2019. While this may have seem innocent enough, the email actually appears to have been sent from China and forwarded from a server in Germany.
The click opened the door for the systems infection. The network had an issue. The malware was reported as ransomware and, as expected, immediately began to encrypt the files. The attackers, as with the next step of the ransomware playbook, demanded money to be paid to them for the decrypt key. The school consulted with a police expert regarding the substantial issue. After a review, it was noted the attack did not likely exfiltrate any school data, and staff, student and parent data was not on the system that was breached. The research into this indicated the attack may have been part of a much larger international operation.
Data
In particular for this case, Year 11 students submitted their coursework. This coursework was save on the school’s network. Due to the issue, the coursework in subject was lost. While the description is short, the devastation is significant. The hope is the student’s had this backed-up somewhere.
Mitigation
The school is working with the particular exam board to resolve the issue. They are also working with the Dorset Police cyber crime unit. Although there was the demand for funds, no payment was made. This is generally the policy to take due to the secondary potential issues with just making the payment. The school had to notify the parents and sent a letter explaining the issue.
Discussion
Targets are generally attacked to compromise their systems to gain access to data for exfiltration or to extort funds from them. In the early days, these may have been more of an exercise, however, the attackers have operationalized the model. Ransomware has proven itself to be a completely popular, viable, and successful attack tool. Over the last four years, this has been very profitable for the attackers.
Lessons Learned
Ransomware is used so often, it is becoming redundant. The frequency is mostly due to the simplicity of the attack, the financial awards, and this tends to shut down operations until the fee is paid (not advised) or the issue is remediated through installing back-ups, and a thorough review to ensure nothing was left behind by the attackers they could use later for re-entry.
There needs to be continued training for the staff. This removed a significant portion of opportunity for an issue. If the staff know what the usual forms of the attack are, these are less likely to be clicked on, and fewer systems would be infected. There also needs to be back-ups, which are regularly checked to ensure they are viable.
Resources
Hussain, D. (2019, March 14). Secondary school is being held to ransom after a ‘chinese cyber attack’ caused the loss of year 11 student’s GCSE coursework Retrieved from https://www.dailymail.co.uk/news/article-6808845/Secondary-school-held-ransom-cyber-attack-caused-loss-students-GCSE-coursework.html
Sjouwerman, S. (2019, March 14). GSCE coursework lost in ransomware attack on UK bridport school. Retrieved from https://blog.knowbe4.com/gcse-coursework-lost-in-cyber-attack-on-uk-bridport-school
Speck, D. (2019, March 15). GCSE coursework lost in ransomware attack. Retrieved from https://www.tes.com/news/gcse-coursework-lost-ransomware-attack
Wakefield, J. (2019, March 13). GCSE coursework lost in cyber attack in bridport school. Retrieved from https://www.bbc.com/news/uk-england-dorset-47551331
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.