The NCSC is responding to further ransomware attacks on the education sector by cyber criminals. They have previously highlighted an increase in ransomware attacks on the UK education sector during August/September 2020 and again in February 2021.
As of late May/June 2021, the NCSC is investigating another increase in ransomware attacks against schools, colleges and universities in the UK.
This recent campaign emphasises again the need for organisations in the sector to protect their networks to prevent ransomware attacks.
The NCSC urges all organisations to follow our guidance on ‘Mitigating malware and ransomware.’
This advice was updated in March 2021 and details a number of steps organisations can take to disrupt ransomware attack vectors and enable effective recovery from ransomware attacks.
The NCSC is also encouraging organisations in the sector to sign up to our Early Warning service. This free NCSC service uses a range of information feeds to notify organisations of malicious activity on submitted domains and IPs. More information, including how to sign up, is on the NCSC website at ncsc.gov.uk/earlywarning
Ransomware is a type of malware that prevents you from accessing your systems or the data held on them. Typically, the data is encrypted, but it may also be deleted or stolen, or the computer itself may be made inaccessible.
Following the initial attack, those responsible will usually send a ransom note demanding payment to recover the data. They will typically use an anonymous email address (for example ProtonMail) to make contact and will request payment in the form of a crypto currency.
More recently, there has been a trend for cyber criminals to also threaten to release sensitive data stolen from the network during the attack, if the ransom is not paid. There are many high-profile cases where the cyber criminals have followed through with their threats by releasing sensitive data to the public, often via “name and shame” websites on the darknet.
Common ransomware infection vectors
Ransomware attackers can gain access to a victim’s network through a number of infection vectors. Indeed, it can be hard to predict how a compromise will begin, as cyber criminals adjust their attack strategy depending on the vulnerabilities they identify. However, in recent incidents, the NCSC has observed the following trends:
Remote access Attackers frequently target organisations’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN). They regularly exploit:
lack of multi-factor authentication (MFA),
unpatched vulnerabilities in software.
Remote Desktop Protocol (RDP) remains the most common attack vector used by threat actors to gain access to networks. RDP is one of the main protocols used for remote desktop sessions, enabling employees to access their office desktop computers or servers from another device over the internet. Insecure RDP configurations are frequently used by ransomware attackers to gain initial access to victims’ devices.
Often the attacker has previous knowledge of user credentials, through phishing attacks, from data breaches or credential harvesting. User credentials have also been discovered through brute force attacks because of ineffective password policies. Compromised credentials and remote access are frequently sold by cyber criminals on criminal marketplaces and forums on the dark web.
VPN vulnerabilities: Since 2019, multiple vulnerabilities have been disclosed in a number of VPN appliances (for example Citrix, Fortinet, Pulse Secure and Palo Alto). Ransomware actors exploit these vulnerabilities to gain initial access to targeted networks. The shift towards remote learning over the past year has meant that many organisations have rapidly deployed new networks, including VPNs and related IT infrastructure. Cyber criminals continue to take advantage of the vulnerabilities in remote access systems.
Phishing Phishing emails are frequently used by actors to deploy ransomware. These emails encourage users to open a malicious file or click on a malicious link that hosts the malware.
Other vulnerable software or hardware Unpatched or unsecure devices have commonly been used by ransomware attackers as an easy route into networks. For example, on 11 March 2021 Microsoft reported that cyber criminals have exploited vulnerabilities in Microsoft Exchange Servers to install ransomware on a network.
Lateral movement and privilege escalation
Having acquired initial access to a network, an attacker will typically seek to navigate around the network, increase their privileges and identify high-value systems, often using additional tooling (such as Mimikatz, PsExec, and Cobalt Strike) to assist with this. They may also attempt to conceal their actions so that any subsequent investigation will be more difficult.
Recently we have also observed attackers seeking to:
sabotage backup or auditing devices to make recovery more difficult,
encrypt entire virtual servers,
use scripting environments (e.g. PowerShell) to easily deploy tooling or ransomware.
The NCSC recommends that organisations implement a ‘defence in depth’ strategy to defend against malware and ransomware attacks. This section lists a number of important defence practices and techniques.
Your organisation should also have an incident response plan, which includes a scenario for a ransomware attack, and this should be exercised. Further details can be found in the NCSC’s recently updated guidance on ‘Mitigating Malware and Ransomware’.
1. Disrupting ransomware attack vectors
Effective vulnerability management and patching procedures (See Vulnerability Management).
Secure RDP services using Multi Factor Authentication.
Install and enable Antivirus software.
Implement mechanisms to prevent Phishing attacks.
Disable or constrain scripting environments and macros.
2. Enable effective recovery
Having up-to-date and tested offline backups. Offline backups are the most effective way to recover from a ransomware attack (see the NCSC’s Offline backups in an online world blog post).
Exercise your response to ransomware and other cyber attacks (see the NCSC’s Exercise in a Box).
3. Practical resources to help schools
The NCSC has produced a number of practical resources to help schools and other educational institutions improve their cyber security:
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to firstname.lastname@example.org. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).