Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

NCSC Warns of Surge in Ransomware Attacks Against Schools

Agency Notes Attacks Have Spiked Since February
NCSC Warns of Surge in Ransomware Attacks Against Schools

Ransomware actors continue to target schools and universities across the U.K., and attacks have surged since February, a new report by the U.K's National Cyber Security Center warns. The agency has also released a free tool to help schools detect any compromise.

See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation

The report notes the threat actors are continuing to target organizations in the education sector by exploiting vulnerabilities in virtual private networks, unpatched software and devices and by using phishing emails.

It is unclear how many cases have been reported so far, but the agency notes a surge in attacks was first noticed in August 2020 and again in February this year. "As of late May/June 2021, the NCSC is investigating another increase in ransomware attacks against schools, colleges and universities in the UK," the report notes.

In most cases observed by the NCSC, the attacks have led to loss of student coursework and school financial records, as well as data relating to COVID-19 testing.

Common Attack Vectors

According to the NCSC, the most commonly used attack vectors by ransomware actors targeting the UK education sector are:

  • RDP: Remote desktop protocol attacks are the most commonly exploited remote access tools used by ransomware hackers. The report says hackers use insecure RDP configurations collected through phishing attacks, data breaches or credential harvesting to gain initial access to the victim's environment.
  • VPN: Since the shift in the learning environment when the COVID-19 pandemic began, threat actors have been exploiting vulnerabilities present in VPNs to take over the remote access. These attacks have risen significantly since 2019, and multiple vulnerabilities have been disclosed in several VPN appliances, including Citrix, Fortinet, Pulse Secure and Palo Alto, the report adds.
  • Unpatched devices: Attackers are targeting unpatched software and hardware devices to gain access to the victim's network. One example of this is the vulnerabilities in Microsoft Exchange Server that are known to have been used by advanced persistent threat groups.

After exploiting these attack vectors, the threat actors then achieve persistence through lateral movement, using additional tools such as Mimikatz, PsExec and Cobalt Strike, the report notes. Among recent trends, attackers have also been disrupting backup and auditing devices to make the recovery more difficult, encrypting entire virtual servers and deploying PowerShell to install the ransomware, the NCSC notes.

Mitigation Tools

The NCSC has released tools and advice designed to help organizations prevent ransomware attacks. These include:

  • The NCSC guidance on mitigating ransomware attacks, which describes measures to prevent attacks and detect and remove the malware.
  • A tool called Early Warning Service that has been designed to help organizations facing cyberattacks on their network. The platform provides services such as incident notification, vulnerability and open port alerts, among others.
  • The agency's Web Check, a free tool that provides website configuration and vulnerability scanning services.

Dr. Claudia Natanson, the chair of the newly established Cyber Security Council in the U.K. notes the main focus of the council has been to strengthen education and academia to fight various cybercrimes and to produce a skilled cybersecurity workforce in the future (see: UK Cyber Security Council to Tackle Education, Standards).

Surge in Ransomware

Ransomware attacks have surged in recent months. Last week, Fujifilm shut down part of its network after it was compromised in a suspected REvil ransomware attack (see: Network Intrusion, Suspected Ransomware Attack at Fujifilm) – but it is now back up and running without paying a ransom, by using backups.

Earlier this month, the world's largest meat supplier, JBS, revealed that a ransomware incident it detected on Sunday led it to shut down its servers in North America and Australia. Later, the FBI attributed the attack to the REvil gang, aka Sodinokibi (see: FBI Attributes JBS Attack to REvil Ransomware Operation).

On May 7, U.S. fuel supplier Colonial Pipeline Co. shut down its 5,500-mile pipeline, which runs north from Texas up the East Coast of the U.S., after DarkSide ransomware targeted its systems. The shutdown, which lasted for six days, caused fuel shortages. Colonial Pipeline paid a ransom of $4.4 million to receive the decryption tool.

On Monday, the U.S. Justice Department reported it had recovered $2.3 million of the $4.4 million ransom paid by Colonial Pipeline Co. (see: $2.3 Million of Colonial Pipeline Ransom Payment Recovered).

The U.S. Justice Department's Ransomware and Digital Extortion Task Force, which was launched in April to disrupt ransomware-wielding crime syndicates, was involved in the recovery effort.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.