THE IT PROBLEM STARTS
It started as an ordinary day for Milo, the Head of Hampton College, a public school in North London. After his morning shower and super-strength coffee boost, he was ready to take on another day. With a peck on his wife’s cheek and almost out the door, he received an alarming WhatsApp message from the school’s IT Lead which read:
“We’ve got a problem. IT network is completely down. Could be a virus.”
Milo knew full well that it was a real problem. A computer virus isn’t easy to kill and its aftermath could be devastating. Without the network, his team could not access student academic and personal records, take attendance, administer tests, monitor afternoon activities, contact parents, or draft emails and reports. His students would also be irate. The more enthusiastic of the bunch would be locked out of their assignments. Those with food on their minds would be disappointed when they discovered that lunch would be a Tesco Meal Deal – at their own expense. Arriving at Hampton College, Milo hoped for a rapid resolution to the IT dilemma.
THE RANSOM DEMAND
Unfortunately for everybody, a quick fix was not on the cards that day. Quite the opposite. Feeling sick to the stomach, Milo summoned all HoDs to an emergency meeting in which he revealed the ugly truth. The school network had been infected with ransomware, taking out everything, including student and staff health records, the school’s security system and its precious payroll portal. And there was more bad news to come, fast and furious. At precisely 9 am, an all-familiar ransom demand appeared on every monitor across the campus:
Greetings from BlockLock!
This is what we’ve done
This organisation’s computer network is infected with BlockLock ransomware and all its data has been encrypted using the RSA algorithm.
This is what it means
It means that to decrypt and recover your data and access your IT network, you need to pay us a ransom. We require 5 bitcoin (BTC), about £250,000. This is a very fair price considering the amount of sensitive data of yours that we have captured and control.
This is how you pay
It’s easy to buy 5 BTC using this link and deposit the funds into our account following this link.
This is what happens after you pay
BlockLock is running on your systems right now, waiting to detect your payment of 5 BTC. On detection, it will start to decrypt all of your encrypted data. The payment detection process can take up to 2 hours and only after this will BlockLock start doing its magic. This means you need to leave your entire network powered on.
What happens if I don’t pay?
If you are not interested in paying the ransom, that’s okay with us. You’ll be able to reformat all your devices and even remove BlockLock – it’s not that difficult. All your files will be unrecoverable. If we don’t receive the money we need, we’ll also continue to launch cyberattacks like this one on other schools in London and beyond.
THE RANSOMWARE QUANDARY
The problem quickly escalated from having no computer access to being entrapped in a major financial bind and more. Milo had to choose between digging deep into the pockets of an already cash-strapped budget or face losing all data associated with Hampton College. Even more worrying was that the BlockLock hackers could jack up their endeavours by selling the stolen files on the Dark Web, publicly exposing sensitive data. Milo then also reflected on the implications of regulatory non-compliance and data privacy infringement with a heavy heart. The crisis was further exacerbated by the fact the bad actors threatened to penetrate the networks of many other schools, possibly paralysing private-sector education in the UK. Despite having intact backups, there was also the ugly truth that the school would take weeks to recover from the cyberattack. Long story short, Milo was caught between a rock and a hard place.
WAS IT PHISHING?
Becoming a victim of ransomware is easier than you think and it’s normally us humans who are at fault. In the case of Hampton College, it wasn’t the proverbial phishing ploy that caused the network to succumb to the virus. It was caused by drive-by downloading. A school administrator inadvertently clicked on a link in an email advertising branded goods. Unwittingly, they didn’t check the security certificate of the URL and were taken to an unverified website. Just visiting the website was all it took to download ransomware onto the main server. Advanced ransomware attacks are so difficult to identify that they don’t need to click or even download anything.
DID THEY PAY THE RANSOM?
Milo and Hampton College Board were left with the daunting and expedient decision of whether to pay the ransom or not. The school could rally its finances, so raising the funds was not out of the question. But even if they authorised the ransomware payment, there was no guarantee that the school’s data would be fully decrypted or that all of it could be recovered. Milo called the Metropolitan Police and reported the breach. Their advice was direct and to the point – do not pay. This was supported by a joint stance taken by the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC):
“Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands. Engaging with cyber criminals and paying ransom only incentivises other criminals and will not guarantee that compromised files are released.”
The College took the government’s words to the wise and opted not to give in to the hackers. Milo was also aware that the cost of the attack would extend beyond the ransom. They would need to hire outside IT experts to help understand its full scope. Additional security software would need to be deployed and specialised cybersecurity staff employed. And there was the issue of cyber insurance, something the school had put on the back burner. Sans the ransom, Milo estimated the costs in the wake of the attack to be £350,000, possibly more.
HOW VULNERABLE ARE UK SCHOOLS TO HACKING?
An audit carried out by the NCSC and the National Grid for Learning (LGfL) revealed that 78% of UK schools have experienced at least one type of cyber incident. 73% were either victims of a phishing attack or were directed to fraudulent websites. Ransomware poses a unique challenge for British schools. At the beginning of January 2023, news surfaced that sensitive information from 14 schools in the UK had been exposed online by the threat actor known as Vice Society. This breach occurred after the schools refused to comply with the ransom demands issued by the group, making the same decision as Milo and his colleagues.
WHY ARE UK SCHOOLS SO VULNERABLE TO HACKING?
It appears that the education industry is as vulnerable as any other. But what is it that makes UK schools, and in particular public institutions like Milo’s such soft targets? It’s a bit of a double whammy. From a hardware and software perspective, schools typically have older computer systems that are inadequately protected and monitored. This situation is exacerbated by the fact that staff and students also connect their personal devices to the network, increasing vulnerability and making effective asset management a tall order. Schools, especially those in the private sector, tend to be heavily reliant on technology but many are unable to afford the cybersecurity to keep their systems safe and secure. The second issue is data. Some say that schools can be likened to low-hanging fruit, crammed with precious, personal and sensitive information. Schools collect a lot of data that is surely ripe for the picking. Establishments like Hampton College are usually financially better off than their state school counterparts. This also positions them as easy targets for ransomware attacks.
WHAT SCHOOLS CAN DO TO BEEF UP CYBERSECURITY
As Hampton College moves forward with its IT security, developing an overarching cyber-aware culture is critical to ensure that it is never preyed on by the likes of BlockLock again. The first step is to have complex passwords. The second is multifactor authentication (MFA), which means everybody has to enter more than just a password to log in to their account – this could be a code sent to their phone, a fingerprint scan, facial recognition or something else. And the third is keeping software patched and up to date. Mandatory staff and student education and ongoing training also come into play, including sending out simulated phishing attacks. Unfortunately, there’s no fail-proof way of keeping data secure. The best you can do is put as many layers of protection as possible between your secure assets and the bad guys.
YOU DON’T NEED A £1 MILLION CYBERSECURITY BUDGET
While Milo was troubled about finding the cash to pay BlockLock the ransom, the cost of implementing decent cybersecurity along with cyber training was also giving him a few grey hairs. His worries were in vain. Izak Oosthuizen, Zhero’s founder and CEO, a London IT thought leader and cybersecurity expert, gives cyber crooks a run for their money in his latest bestseller, You Don’t Need a £1 Million Cybersecurity Budget. The book provides a realistic strategy for schools, businesses, non-profits and charities to put in place resilient security by applying and sticking to a handful of basic cybersecurity principles. Izak’s philosophy is that we can’t stop humans from making mistakes but we can stop threat actors from getting in. Using the KISS approach, Izak’s basics include password management, MFA, access control, updates, backups and more. In his words:
“Think of Kiss as a go-to reminder of how things can be for your cybersecurity – keep it simple and straightforward.”
The good news is that Izak’s basic cybersecurity is affordable and scalable, so Milo will be over the moon that it won’t break the bank. The thing is that he and anyone else need to take action today. Tomorrow could be too late.