Ransomware surge emphasises cyberthreats faced by UK education sector

The National Cyber Security Centre (NCSC) has warned of a recent increase in ransomware attacks targeting schools, colleges and universities in the UK as the cyberthreats posed to the education sector continue to be laid bare. The alert follows previous NCSC notices of surges in ransomware attacks on UK education during August/September 2020 and February 2021.

In a posting on its website, the NCSC stated that it is investigating another increase in ransomware attacks against schools, colleges and universities in May and early June. Attack vectors highlighted include the targeting of networks through phishing emails, VPNs and Remote Desktop Protocol (RDP) endpoints, weak passwords or lack of multifactor authentication (MFA), and exploitation of unpatched bugs or systems like Microsoft Exchange Server. What’s more, attackers are increasingly using tools such as Mimikatz, PsExec, and Cobalt Strike to enable lateral movement and privilege escalation once they’ve infected a network, the NCSC added.

Cyberthreats faced by the UK education sector

The threats posed by ransomware and other cyberattacks to organisations of all types are stark, but they take on specific significance for those in the UK education industry. “Schools, colleges, and universities tend to have comparatively low cybersecurity budgets, a broad range of open technology needs, quite a bit of remote access and users that range from wannabe hackers to people who tape their passwords to the back of their smartphones,” cybersecurity advisor, thought leader, and author Raef Meeuwisse tells CSO. “These factors also make it harder for the security functions inside such institutes to implement effective countermeasures against ransomware and other forms of cyberattack.”

In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing, the NCSC wrote in its blog.

Dr. Jason R.C. Nurse, assistant professor in cybersecurity at the University of Kent, adds: “As educators possess sensitive data on students, teachers, and exams, and often run some time-critical services (May and June are exam periods in many universities), they may be seen as particularly attractive targets. The reality is that ransomware attacks on the education sector have been conducted for some time, but there’s clearly been a recent surge.”

Kevin Curran, professor of cybersecurity, Ulster University and senior member, Institute of Electrical and Electronics Engineers, adds that phishing remains the key method by which ransomware attacks on the education sector are carried out. “Many phishing techniques are designed to be effective, as many individual’s environments have changed and they are more susceptible to attacks. These attacks use tailored techniques, dynamic websites and regularly updated methods to remain undetected to those mostly untrained and working from home. The result is a series of attacks that have an alarmingly high success rate, yet a relatively low detection rate.”

Defence-in-depth ransomware protection

The latest ransomware activity emphasises the need for organisations in the education sector to protect their networks to better prevent and defend against attacks, the NCSC said. In updated guidance, it urged those responsible for IT and data protection within education establishments to adopt a “defence in depth” approach, focusing on factors including effective vulnerability management and patching procedures, secure RDP services using MFA, effective antivirus, up-to-date and tested offline backups, and practiced attack response exercises.

“It’s great to see the guidance from the NCSC as it covers all of the key actions that organisations must take to better prevent against, and respond to, such incidents,” adds Nurse. “It really comes down to having strong preventative measures to protect against attacks but also appropriate measures to be able to recover as quickly as possible. The NIST Cybersecurity Framework lifecycle is a good starting point to address threats, encompassing identify, protect, detect, respond, and recover.”

Concludes Meeuwisse, user education about security can also be a very effective and low-cost defensive tool—if the messages are clear and concise. “The more you can get people to ensure they operate securely (for example, by keeping copies of the data they consider critical for their own roles)—the less risk the overall environment will have.”