The UK’s National Cyber Security Center (NCSC) has issued a warning to the UK education sector following a recent spike in ransomware attacks on schools, colleges, and universities. Some of the recent attacks have resulted in the loss of school financial records, student coursework, and COVID-19 testing data.
Ransomware attacks often involve the theft of data prior to the use of ransomware to encrypt systems. The attacks can have a devastating impact on the education sector and can take a significant amount of recovery time, even when the ransoms are paid. These attacks also attract a lot of media attention and can cause reputational damage.
While there are many ways that the education sector is attacked, it is common for the attackers to gain initial access to networks by targeting unpatched vulnerabilities in Virtual Private Networks (VPNs), Remote Desktop Protocol (RDP) endpoints, and Microsoft Exchange servers. It is also common for phishing emails to be used to steal credentials and for brute force tactics to be used to guess weak passwords. Credential theft is a major risk for any educational institution that has failed to implement multi-factor authentication.
Once access to networks is gained, the threat actors use a range of legitimate tools to move laterally within networks and elevate privileges. Many of the tools used are also used by educational institutions, which makes it easier for the attackers to avoid detection. Tools such as PsExec, Cobalt Strike, and Mimikatz are commonly used, along with PowerShell to deliver additional tools and malware.
NCSC said attacks have been observed where the ransomware gangs targeted backup and auditing devices to make it harder for victims to recover without paying the ransom, and is several cases, the ransomware gangs have encrypted entire virtual servers.
NCSC has offered guidance to the education sector on improving their defenses against ransomware attacks by adopting a defense-in-depth approach to protection, including anti-virus software, anti-spam software and other mechanisms to prevent phishing attacks, disabling macros and constraining scripting environments, ensuring software is updated and patches are applied promptly, and to secure RDP services and email accounts using multi-factor authentication.
It is essential for plans to be developed and tested to ensure a fast response to a ransomware attack is possible, and to make sure backups are regularly created and tested and are stored offline.
Further information on the threat and mitigations can be found in the NCSC alert published on June 4, 2021.