The incident
Three weeks into the new term in September 2024, users reported issues with accessing network resources and the internet. Upon checking the physical servers across the Trust, Senior Technicians discovered the issue which was identified as ransomware. Later, the Trust’s broadband supplier identified a large spike in bandwidth that took place the weekend prior.
The impact
The ransomware encrypted everything on-premises, including the file servers and all network attached backup storage. Around 2 million files and 2 terabytes of data were exfiltrated, which included personal data such as names, addresses, national insurance numbers and possible bank details.
Everything that was connected to the system was considered infected or compromised, including catering and their CCTV. The Trust incurred significant daily costs from feeding children who were unable to make payments due to cashless payment systems being inaccessible.
The quality of learning was impacted, particularly for the 1,500 Key Stage 4 students working towards exams due to lack of access to key resources. Some data was lost in the attack, including coursework and assignments.
Upon investigation, it was established that it was very likely that compromised personal data had been exported.
Actions taken
The Trust immediately followed their data and business recovery plans. This included a one-page cyber response plan template outlining a 10-point process.
The Trust contacted the RPA, Information Commissioner’s Office, Report Fraud and NCSC. Their existing membership with RPA allowed them direct access to a team of specialists who helped with the response and recovery.
Health and safety checks were carried out to ensure key systems were functioning, such as fire alarms and exit access.
An approach of assuming all passwords were compromised was taken. Staff were regularly reminded to be hyper vigilant of unusual activity with bank account activity, phone calls and emails. Password resets were enforced on all AD and Google Workspace accounts. The network and domain were rebuilt due to the damage of the AD infrastructure and compromised VLANs. Students and staff were also advised to change, and not reuse, their passwords both at school and at home.
All end user devices running Windows were wiped and setup from a clean image to ensure no hidden malware remained on devices.
Dongles and hardware were purchased so that teaching staff could access the internet and resources while the internal infrastructure was down.
Handling communications
Legal advice was sought early in the process. The appointed law firm worked with the Trust’s Senior Leadership Team to draft all communications, which were then reviewed and approved prior to release.
Fortunately, Gmail remained accessible through mobile devices allowing regular communication with parents throughout the incident.
The CEO and IT Lead notified headteachers, who then informed staff, parents and carers of the recovery steps and managed expectations by avoiding fixed dates. A recovery tracker was also implemented to keep each of their schools up to date on the progress of eradicating the incident.
Towards the end of the investigation into the incident, the Trust published an update on their website confirming that the personal data had been leaked on the dark web.
Alongside transparency on the impact of the attack, the update offered guidance on implementing cyber security measures to help prevent similar incidents in the future.
Post-incident recovery and resilience
The Trust had moved on from reacting to the incident to rebuilding by the October half-term, with a full resolution by Christmas time.
They have since enhanced their log in security, implementing Google 2-factor authentication and revising their password policy. School level firewalls have been implemented to better control and restrict network traffic between VLANs and sites.
The perception of security precautions shifted following the incident, which are now recognised as critical measures to have in place.
Effective incident management was possible not just through the cyber response team available via the RPA, but through the professionalism of the school staff who maintained daily operations despite limited resources.
Pete’s advice for others
1. Implement robust cyber security measures
“The forensic report and subsequent reflections of the incident have highlighted some pre-existing and clear areas of weakness. Based on the reported attack vectors, it is likely that this attack could have been prevented and most definitely would have had less of an impact had certain security measures been in place at the time.”
2. Have a response plan and backups in place
“You must have a plan - which includes access to a cyber incident response team as soon as possible. Ensure backups are immutable or air-gapped and tested.”
3. Secure your firewall
“Ensure firewall ports are closed unless there is a strong and clear case for them to be open. Any open ports should have specific end points, MAC address(es), IP(s) and/or user accounts.
Ensure you have activated monitoring and reporting of firewall activities, specifically suspicious and malicious activity including activity which is blocked or prevented. This information could be key to highlighting a potential attack.”