In a live incident?
If you are currently experiencing a ransomware incident, start following your cyber response plan immediately.
Contact your IT provider for support or reach out to the Risk Protection Agreement (RPA) if you are a member.
If you can’t access your cyber response plan, or you don’t have one, follow these instructions. However, you should adjust them so they best fit your school.
Immediate actions
Start following your cyber response plan.
Notify your SLT digital lead, incident lead, service provider, and safeguarding lead (if applicable).
Contact your IT team or IT service provider, the Risk Protection Agreement (RPA) if you are a member, or your insurance provider (who may assist depending on your agreement).
Disconnect affected devices from the network. Remove the ethernet cable, turn off WiFi (and disconnect the router). Disable any backup internet connectivity.
If you cannot disable network or internet connections, disable network shares and shared drives.
Do not turn the power off a machine unless it is specified in your cyber response process and you have been told to by your SLT incident lead.
For cloud-based systems, temporarily restrict access or disable cloud connectivity, including any cloud-connected systems (such as cloud-based backups). If this is not possible, turn the device’s power off.
Block unknown malicious IP addresses, domains and website URLs at your network’s firewall.
Take pictures of any ransom demands (using another device). The Department for Education and UK law enforcement do not support paying ransom demands.
Report to your relevant authority, local police (if you suspect a financial or safeguarding impact), and the ICO if personal data has been breached.
Don’t use a system to communicate that might be compromised (for example, use mobile phones that aren’t connected to internal Wi-Fi). Limit visibility of communication channels.