This isn’t my usual kind of blog. It’s about how our school responded to a ransomware attack and what we learned. As it turns out, not everyone talks about this so malware attacks on schools may be more of a problem than many of us realise.
We first noticed attack on The morning of 17th July when we found that several documents on our fileserver were encypted. It seemed at first that only some files on one server were affected, then it became apparent that files on another were also encrypted. We decided to shut down all our servers to halt any spread of an infection. This of course meant that the school had no ICT facility: teachers had no acesss to lesson resources, and there was no access to our information management system.
Our excellent ICT team identified the ramsomware as ‘.Aleta’ and discovered that the infection had occurred at around 6.30am on the previous Saturday, 15th July on a server used by all the schools in our academy group, despite our use of security software. The finance serWe later learned from the police that this type of malware is most frequently spread by remote desktop access protocols. Our ICT team worked all that day and the next to wipe the system clean and restore files from a full backup made on Friday 14th July. As a result we were only without ICT for a day, although some facilities were only restored on the second day.
We warned the schools in our Multi-Academy Company and other local schools. We weren’t using email, so we did it the old fashioned way, by phone. It was quite hard to talk to a human being at some schools! We reported the incident to Thames Valley Police who also urged us to report it to Action Fraud, who coordinate with the National Fraud Intelligence Bureau. In reporting this attack, I learned from the police that not everyone does so, or chooses to report the details to Action Fraud. I can only speculate as to why this is – perhaps they don’t want adverse publicity, or to indicate that there may have been a vulnerability in their systems. Presumably a proportion of victims pay, or why would such attacks continue? It seemed to us that adding our small piece of the jigsaw to the database of such attacks was the only way we could help tackle them. Action Fraud told me that the perpetrators would undoubtedly be based overseas and there was little chance of bringing them to justice in the short term, but thanked us because every piece of additional information helps build a picture of this type of criminal activity, providing insights into how to counter it. Reporting the details of the crime also enabled the police to give us specific advice on how to deal with it. We didn’t need this help because we had a recent backup we could use to restore our system, but the police do have a database which can be used to decrypt many files affected by such attacks.
We did not contact the authors of the malware and we certainly didn’t pay a ransom, nor would we. Quite apart from the obvious moral argument about paying criminals and so helping fund and encourage their further activities, to do so seemed foolish in the extreme, We didn’t open any of the ‘ransom’ files placed on our network, but found screenshots of the instructions they contained on the internet. We weren’t asked for a specific amount but told that the fee, in bitcoin, would depend on how soon we responded. In exchange for payment, we would be sent a file to unlock the encrypted files. Deliberately launching an executable file sent by criminals didn’t sound like a good idea!
Lessons we learned
- This is what a critical incident plan is for! It’s essential to have a plan in place to cover the network going down – for example hard copy contact details for pupils, so you can contact home, and of the timetable so you know where everyone should be. Think about how often you access school information on a computer – how would you get that same information without a network?
- It pays to back up your network. For our school, a regular backup protocol meant that we could restore our systems and suffered only minimal loss of data. For teachers, the message is to also back up your own files, and keep the copy away from the network and the school premises. We all know this, but do we all do it?
- Remote access is used by many schools and can be a real help to staff. Remote Desktop Protocols are a known chink in the armour of network security, however, so how confident are you that you are protected? It’s worth checking.
- If it happens, it’s really worth reporting it. It helps tackle this kind of fraud, assists others, and also allows you to access help and support.
- We were fortunate in having a team with the expertise to deal with this situation. Are your IT team prepared? Is there any training you need to provide?
I hope that this doesn’t happen to your school and there’s no reason to think schools are particularly being targeted (who would think schools have money?!). It’s best to be prepared though, so I also hope this account of our experience will help others. I’d be interested to hear from other schools who have had similar experiences.
Action Fraud can be contacted on 0300 123 2040 or via their website www.actionfraud.police.uk which also has a wealth of up to date information on Fraud and cybercrime.
Caseby's Casebook 