Sir John Colfox Academy is a secondary school in Bridport,
Dorset in the UK. The school has 828 students, aged between 11 and 18.
Attack
On a fateful work day, much like any other, a staff member
received an email. This was one of the hundreds of emails received on a weekly
basis. This however claimed to be a colleague at another Dorset school. Not
thinking a malicious person would have sent this, the staff member opened the
email and clicked on the content on February 28, 2019. While this may have seem
innocent enough, the email actually appears to have been sent from China and
forwarded from a server in Germany.
The click opened the door for the systems infection. The
network had an issue. The malware was reported as ransomware and, as expected,
immediately began to encrypt the files. The attackers, as with the next step of
the ransomware playbook, demanded money to be paid to them for the decrypt key.
The school consulted with a police
expert regarding the substantial issue. After a review, it was noted the attack
did not likely exfiltrate any school data, and staff, student and parent data were
not on the system that was breached. The research into this indicated the
attack may have been part of a much larger international operation.
Data
In particular, for this case, Year 11 students submitted
their coursework. This coursework was saved on the school’s network. Due to the
issue, the coursework in the subject was lost. While the description is short, the
devastation is significant. The hope is the student’s had this backed-up
somewhere.
Mitigation
The school is working with a particular exam board to
resolve the issue. They are also working with the Dorset Police cybercrime
unit. Although there was a demand for funds, no payment was made. This is
generally the policy to take due to the secondary potential issues with just
making the payment. The school had to notify the parents and sent a letter
explaining the issue.
Discussion
Targets are generally attacked to compromise their systems
to gain access to data for exfiltration or to extort funds from them. In the early
days, these may have been more of an exercise, however, the attackers have
operationalized the model. Ransomware has proven itself to be a completely
popular, viable, and successful attack tool. Over the last four years, this has
been very profitable for the attackers.
Lessons Learned
Ransomware is used so often, it is becoming redundant. The
frequency is mostly due to the simplicity of the attack, the financial awards, and
this tends to shut down operations until the fee is paid (not advised) or the issue is remediated through installing back-ups, and a thorough review to
ensure nothing was left behind by the attackers they could use later for
re-entry.
There needs to be continued training for the staff. This
removed a significant portion of the opportunity for an issue. If the staff know
what the usual forms of the attack are, these are less likely to be clicked on,
and fewer systems would be infected. There also needs to be back-ups, which are
regularly checked to ensure they are viable.
Resources
Hussain, D. (2019, March 14). Secondary school is being held
to ransom after a ‘chinese cyber attack’ caused the loss of year 11 student’s GCSE
coursework Retrieved from https://www.dailymail.co.uk/news/article-6808845/Secondary-school-held-ransom-cyber-attack-caused-loss-students-GCSE-coursework.html
Sjouwerman, S. (2019, March 14). GSCE coursework lost in
ransomware attack on UK bridport school. Retrieved from https://blog.knowbe4.com/gcse-coursework-lost-in-cyber-attack-on-uk-bridport-school
Speck, D. (2019, March 15). GCSE coursework lost in
ransomware attack. Retrieved from https://www.tes.com/news/gcse-coursework-lost-ransomware-attack
Wakefield, J. (2019, March 13). GCSE coursework lost in
cyber attack in bridport school. Retrieved from https://www.bbc.com/news/uk-england-dorset-47551331
No comments:
Post a Comment