Ransomware Strikes Again: Educating and Defending Against Attacks



At the end of March, The National Cyber Security Centre (NCSC), issued a cyber alert to all U.K. educational institutions, for the second time in less than nine months. With cyber-attacks on the rise towards the end of 2020, schools, colleges and universities have specifically been targeted and have been on the receiving end to a series of sophisticated ransomware attacks.  

Latest Victim 

The Harris Federation, who operate 50 primary and secondary schools across London and Essex are the latest victim. First discovering the attack on the 27th of March. The federation released a statement the following week stating that every one of its schoolsthat provide education to of over 37,000 pupils, had been impacted. Although the schools remained open, the school’s management took the step to suspend the email and telephone systems, as well as school devices pupils had in their possession as a precautionary measure. The school stated they were currently working with both the NCSC and the police to uncover the full extent of the attack. Recent attacks on similar institutions have resulted in the loss of student coursework as well as school financial records being compromised. 

 

What is Ransomware? 

Ransomware is a form of malware that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment. Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin. The usual method used by hackers is to encrypt the data and password protect it so that the owner no longer has access. Hackers can also steal the data, delete it or make the computer itself inaccessible. A ransom note (hence ransomware) would subsequently be sent, asking for paymentvia crypto currency, for the data to be accessed or retrieved.  

 

Current Trends 

Recently, a more worrying trend has emerged with criminals threatening to release compromised data if ransom demands are not met. recent case in Nevada, in the U.S. saw thousands of students and school employees addresses, social security numbers and other personal data leaked online. It was not confirmed by the effected school district – Clark County – whether the ransom had been paid.  

 

The nature of such attacks has changed in recent years with criminal gangs becoming much more organised and the attacks themselves more targeted. This change in tactics has meant that large organisations and public bodies are more at risk than ever. Whereas previously, hackers were more likely to just encrypt datarecent trends have shown an increase in the likelihood of data also being downloaded, with the intention being the publication of the information on the dark web, if ransom demands are not met. Further to this, hackers are going so far as to seek out specific  types of data that would cause embarrassment to those involved. One such attack in December 2020 saw a Ransomware gang known as REvil threaten to publish pre and post-surgery pictures of a number of high-profile clients of The Hospital Group – a leading, U.K. wide, cosmetic surgery chain.  

 

Not only are these attacks incredibly disruptive and financially damaging to the companies and institutions involved but they can also be hugely detrimental to an organisation’s reputation and its credibility amongst customers, employees and the wider public. As such, it is vital that leaders comprehend the importance of having both the correct defences in place to help prevent a hack of this kind as well as the relevant protocols in place to help aid a quick and effective recovery. Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. But if you do pay the ransom: 


  • There is no guarantee that you will get access to your data or computer 

  • Your computer will still be infected 

  • You will be paying criminal groups or/and terrorism 

  • You're more likely to be targeted in the future 

 

Prior-Defence Against Ransomware Attacks 

In operating an effective defence against such attacks, having full security coverage is key. Hackers will adjust their methods to target whatever vulnerabilities are present when looking to gain access such as, unpatched devices and as such all-egress points should be safeguarded as best as possible.  

 

Systems and services which allow us to access school/work systems from outside of the learning/working environment have clearly taken off in a huge and unprecedented way over the last year, due to COVID-19. The speed at which organisations have had to push out such systems has been a gift to those who wish to exploit our new way of working as we prioritise on fast functionality over safety, which could be at our peril.  

 

Remote Desktop Protocol (RDP) has proven to be the most frequent method of entry used by hackers to deploy their ransomware. This is a type of software enables the full control of a local computer from a remote location. Virtual Private Networks (VPN) have also proved a popular access point for hackers but rather than offering access to a particular computer, they instead provide access to a shared network of resources/files via a smaller private network connection. If you’re working from home, then it’s highly likely you’re using at least one of these technologies to access your work resources. 

 

The key to protecting both comes in the form of a robust password policy that governs users to use strong, complex passwords alongside use of a password management solution. Furthermore, your password policy should dictate that access to systems and data is limited to only those who need it and should also enforce the use of Multi-Factor Authentication (MFA) as a minimum for all users – the requirement to confirm your identity via multiple different methods before being given access to sensitive systems/data. MFA is now a basic requirement and vital to your organisation’s security. Whilst strong passwords do help especially when it comes to methods defending against incidents such as brute force attacks, in which hackers systematically guess credentials until entry is gained. Hackers will often already have knowledge of the usernames and passwords needed.  

 

Another crucial way of protecting against unauthorised entry is to ensure all security patches have been deployed and that software is kept up to date. Unpatched software has recently come under the spotlight as a point of entry into networks. A previous Marclay blogpost detailed the recent Microsoft Exchange server hack in which hackers exploited previously unknown vulnerabilities in the software to target an unprecedented number of organisations including several educational institutions across the U.K. Having a vulnerability management system to identify, prioritise and remediate software vulnerabilities combined with an efficient patching procedure, is an effective way to mitigate the risk of this type of attack.  

 

However, Phishing will remain one of the most popular methods of attack. Over the past year itself we have seen an exponential increase in phishing campaigns, which are becoming ever more sophisticatedPhishingthe fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, credit card numbers, or other sensitive details by impersonating as a trustworthy entity in a digital communication can also be used to deploy ransomware via the inclusion of a malicious file or link. Outside of the installation of antivirus software, prevention here very much relies on having informed users. Anyone accessing your organisations systems or data should be trained in spotting and reporting suspicious communications. If it feels too good to be true, it usually is. Here are some handy tips when trying to catch Phishing attempts: 

 

  • Look out for errors in spelling and grammar  

  • Hover over the sender’s email to determine the full address 

  • Don’t give out personal information (e.g., don’t input credentials via any webpage from an email) 

  • And if you do happen to click on the link don’t be worried to report it to your IT team 

 

Recovering from Ransomware Attacks 

The best offence in these situations is a good defence. Prior preparation for ransomware attacks and any attack for that matter, will significantly lower the overall damage caused to the business and consequently lower the overall cost of the incident (i.e., reputation and monetary). A regularly exercised incidence response strategy for this and various other kinds of attacks, will greatly help in preparing you to respond correctly.  

 

To fully recover from a ransomware incident, regular backups of your systems and data is essential. Without such a capability, organisations can find themselves at the mercy of cyber criminals with little choice other than to comply with their demands.  

 

Although hackers are usually ruthless in their pursuit of their targetsorganisations should not be passive victims. The business and technology innovations that organisations are adopting in their quest for growth, innovation, and cost optimisation are in turn creating increased levels of cyber risk. These innovations have likely introduced new vulnerabilities and complexities into an already crowded digital business environment. For example, the continued adoption of cloud, app and social media tools, has likely increased opportunities for hackers. Similarly, the eruptions of outsourcing, offshoring, and third-party contracting driven by a cost reduction objective may have further weakened institutional control over systems and access points. These trends have resulted in the development of an increasingly boundaryless network within which companies operate, and thus a much broader “attack surface” for hackers to exploit.  

 

What does the future hold? 

The future of cybersecurity is difficult to foresee, as the market is continuously changing in response to hackers’ shifting activities and the new attacks they are creating. New technologies, like Artificial Intelligence (AI), pose cybersecurity threats as future vulnerabilities are poorly understood at release time. This means that AI systems are sure to become a major target for hackers, with more organisations relying on machine learning for mission-critical operations. In addition, potential tools and staff for cybersecurity will be forced to build techniques to detect and combat AI corruption attacks.  

 

The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cyber security. If you’d like to know more about how your business can benefit from our secure managed servicescall us today.