Ransomware attacks: protection and prevention

Gareth Jelley from edtech charity LGfL-The National Grid for Learning, shares his top tips on how to prevent a ransomware attack on your school, as well as what to do should one happen

‘Cybersecurity criminals perceive schools to be an easy and potentially lucrative target, which is why Ransomware attacks within education are on the increase,’ says Sophos in its latest report The State of Ransomware in Education.

So how can you prevent, and also deal with, a ransomware attack on your school – a type of malicious software designed to block access to a computer system until a sum of money is paid.

Protecting your systems and raising awareness

The first and most important action you should take is to defend your systems and educate staff about the growing threat presented by ransomware.
You should check that you have a comprehensive cybersecurity policy in place which outlines the school’s guidelines and security provisions that are there to protect its systems, services, and data in the event of a cyberattack. You can download a free template here.  
Check to confirm that cybersecurity risks are detailed in your school’s Risk Register, and used to assess, evaluate, prioritise and manage cybersecurity risks. Remember too to keep your Governors informed. You can download a free template here.
Consider attaining the Cyber Security Essentials certification. Using the self-assessment option you can evaluate if you have the basic controls your organisation should have in place to mitigate the risk from common cyber threats, and obtain certification if you meet all the criteria.  Alternatively, you can use it to map areas of improvement and implement a development plan based on it.
You can also subscribe to the Early Warning Service from the National Cyber Security Centre (NCSC) designed to help organisations defend against cyber-attacks by providing timely notifications about possible incidents and security issues.

Train and educate staff

Train and educate staff and students about the risk of ransomware and their role.
You can run Cyber Security Training for School Staff from the National Cyber Security Centre (NCSC) designed to raise awareness and help staff manage some of the key cyber threats facing schools. It’s free.
You can also run regular simulated phishing campaigns that are linked to training to raise awareness of how to spot phishing emails.
Make sure staff are aware of what to do if they notice something suspicious on their machine, and who to report it to.

Protect your finances

Make sure that there are appropriate finance processes in place when a company requests changes to bank details. New information should always be confirmed via an alternative method, not just email.

Ensure requests for out of the blue payments/gifts/prizes are verified in person or via a phone call.

Lessen your vulnerabilities

Ensure any new systems/software are reviewed at the procurement/purchasing stage to ensure they meet security standards.

Implement Role-Based Access Control (RBAC) where the level of access to the network is determined by each person’s role within the school, and employees are only allowed to access the information necessary to effectively perform their duties. Access can be based on several factors, such as authority, responsibility, and job competency. In addition, access to computer resources can be limited to specific tasks such as the ability to view, create, or modify a file.

Download security patches - software and operating system (OS) updates that address security vulnerabilities within a program or product - as soon as possible to help resolve hardware, operating systems and application vulnerabilities that could be exploited by hackers.

Install and monitor antivirus software – a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.
Implement Multifactor Authentication – an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN – for all systems that support it.
Run regular backups, check that they cover all relevant data and systems so you are able to recover from any incident (fire/flood/ransomware) and test that they work.
Keep backups offline/offsite to prevent them being impacted by the ransomware (although online, some cloud backup solutions can be considered ‘offline’).
Undertake regular housekeeping and remove user accounts and files/software/systems that are no longer needed. This will help to reduce your exposure to risk.
Replace software and systems that no longer receive regular security updates from their vendors, e.g. Windows 7/Shockwave/Flash Player.
Schedule reviews of security configurations to ensure obsolete settings are removed, particularly on firewalls.
Perform vulnerability scans of internal systems to detect and classify system weaknesses in computers, networks and communications equipment and to predict the effectiveness of countermeasures.

What's more, you should commission penetration tests to evaluate the effectiveness of your security systems.

Email configuration

Check that your email is configured with SPF/DMARC/DKIM – this will prevent hackers from impersonating your email. The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. Domain-based Message Authentication, Reporting and Conformance (DMARC) is an open email authentication protocol that provides domain-level protection of the email channel. DomainKeys Identified Mail (DKIM) is a protocol that allows an organisation to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify.

Limit, where possible, the locations from where accounts can be accessed – e.g. prevent users logging on from outside the UK (Russia/China/Australia/America/etc) using geofences – virtual geographic boundaries.

Be prepared for an attack

Assume that at some point you will be affected and plan accordingly. This includes implementing a specific Incident Response Plan for ransomware – including communication plans. You can download a free template here.
Run desktop exercises of the Incident Response Plan to highlight gaps/updates. The NCSC has exercises here.
Consider the DfE Risk Protection Arrangement (RPA) for schools as an alternative to commercial insurance, which includes cyber cover and may save time and money.

What to do after or during an attack

If you are attacked, take the following steps immediately. If you have been asked for a ransom, or are a victim of cybercrime, contact Action Fraud, the UK’s national reporting centre for fraud and cybercrime and a central point of contact for information about fraud and financially motivated internet crime.
Disconnect infected computers/laptops or tablets from all network connections, and consider if you need to disconnect networking equipment, or the school’s internet connection.
Review cybersecurity insurance policies to see how they can support you, and wipe infected devices and reinstall their operating system and applications, and install, update, and run antivirus software.
Check backups are not infected, and then restore them, and reset credentials, including passwords and Multi-Factor Authentication (MFA) registrations.
Reconnect to the network and monitor systems, and review your Incident Response Plan to ensure lessons are learnt.

Assume that at some point you will be affected again, and plan accordingly. Inform the Information Commissioner’s Office if you are subject to a personal information data breach.

For further top tips on cybersecurity for schools visit: security.lgfl.net