Sophisticated Ransomware Attack leaves 36,000 Students without Email

Schools and Universities continue to be a favored target of ransomware operators. Previously, this publication covered how the US Federal Bureau of Investigation issued an alert warning the education sector that the operators of the Pysa ransomware, a variant of the Mespinoza, was actively being used in campaigns against schools and universities. Over the past weekend, another schooling organization was hit by a ransomware attack. This time across the Atlantic.

Reports began emerging that the Harris Federation, which runs some 50 schools in London and Essex in the United Kingdom, had to temporarily disable their email system, leaving nearly 40,000 students without the service during a time when many students are remotely attending certain classes given the current pandemic.

In a statement issued by the Harris Federation, the organization confirmed that it had suffered a cyberattack and that it suffered a ransomware attack.

ransomware attack leaves students without email access

Further, the statement notes,

“As a precaution, we have temporarily disabled our email system. Our telephone systems, which run on the internet, have also been disabled but each academy switchboard has been diverted to a mobile telephone. Switchboard services are therefore very limited and we would ask that you temporarily avoid telephoning us or any Harris academy other than to report absence or in emergencies.
Where pupils have Harris Federation devices, these have been disabled as a precaution and cannot currently be used.   
We know that some families will have important individual concerns around data and that in these cases you will want to know more about the nature of the attack. Because we do not want to risk providing incorrect information, we will communicate further once we have clarity and liaise as appropriate with the Information Commissioner’s Office.”

The school is in consultation with both consultants and law enforcement to further investigate the matter. As to the type of ransomware used, no statement has been made to that effect. Sources speaking to Bleeping Computer believe the specific ransomware strain used in the attack to be Sodinokibi. However, the publication with a reputation for a being ransomware authority could not confirm this. Irrespective of the strain deployed, what is apparent is that the UK education sector comes under attack in waves.

The last wave that targeted schools and universities occurred in August and September of last year. One of the victims of the August September wave of attacks was the University of Newcastle. In this case the offending piece of ransomware was DoppelPaymer, which resulted in the University taking several weeks to recover. To add insult to injury the University also had data leaked; an attempt by the attackers to place increased pressure on the victim to pay.

NCSC Alerts

The UK’s National Cyber Security Centre (NCSC) published an alert on March 26, 2021 warning of increased attacks against the education sector. The alert is an updated version of the alert issued in September 2020 following that wave of attacks that involved the University of Newcastle. The law enforcement agency noted that they had witnessed an increase in the number of cases targeting the education sector starting in February of the year. The alert is a wealth of important information when it comes to defending against attacks.

Of particular importance are the vectors used by ransomware operators to distribute and compromise networks. It is worth repeating these vectors here as by properly securing remote access ports, software, and hardware many ransomware attacks can be prevented. Ever popular attack vectors include Remote Desktop Protocols (RDP) and VPN vulnerabilities. Attacks that abuse RDP, according to the NCSC, is the most popular attack vector utilized by threat actors. Typically, RDP is used to open remote connections between computers and used by IT departments for maintenance and troubleshooting. However, insecure configurations allow the attacker to gain initial access to a machine on the network.

How the attacker gains access using this method is done in several ways. Commonly, the attacker will gain login credentials from either phishing email campaigns or from leaked credentials online. Another option is for the attacker to carry out a brute-force attack where lists of possible username and password combinations are tried. These attacks can be defended against by having strong passwords. Regarding VPN attack vectors, since 2019 several VPN vendors have disclosed several vulnerabilities that can be exploited by attackers to gain initial access to a network or machine. The disclosures are made in conjunction with patches that prevent exploitation but due to low rates of patch adoption, these vulnerabilities can still be exploited. Commenting further on this vector, the NCSC notes,

“The shift towards remote learning over the past year has meant that many organisations have rapidly deployed new networks, including VPNs and related IT infrastructure. Cyber criminals continue to take advantage of the vulnerabilities in remote access systems.”

ProxyLogon Vulnerabilities

The NCSC alert is made special mention of the recently disclosed Microsoft Exchange Server vulnerabilities, that have collectively become known as the ProxyLogon vulnerabilities. Initially, when the flaws were discovered they were being exploited by a state-sponsored hacking group tracked as Hafnium. Soon after when Microsoft announced the flaws and the subsequent release of patches other hackers and cybercriminals were attempting to exploit these flaws to drop various forms of malware including ransomware.

Currently, it is believed that the DearCry and the Black Kingdom ransomware strains have been distributed using the flaws. Recently, it was discovered that Taiwanese computer manufacturing giant Acer had suffered a cyber incident of some kind. According to a Bleeping Computer report supplemented by security researcher opinions, Acer had suffered a ransomware attack and the attackers were demanding 50 million USD to restore encrypted data. Further, the strain used in the attack was Sodinokibi. The link between the attack and the ransomware was made by researchers who had seen the ransom note used in the particular sample used to attack Acer.

Researchers had discovered that attempts were made by hackers to compromise Acer’s network using the ProxyLogon vulnerabilities. It is still unclear if the recent attack on the Harris Foundation was indeed Sodinokibi or not. If it is the case it has been a busy March for the ransomware operators. What is clear is that ransomware operators have several methods to choose from when looking to gain initial access to an organization. For those tasked with defending networks belonging to organizations within the education sector, keeping software and hardware up to date is vital in preventing ransomware attacks from happening.

To further help organizations, and not just those in the education sector, to defend against ransomware the NCSC published an in-depth article on how to mitigate against the threat. In short, the following actions should be taken to help prevent ransomware, and other strains of malware, from wreaking havoc. The following can help disrupt ransomware attack vectors:

  • Effective vulnerability management and patching procedures (See Vulnerability Management).
  • Secure RDP services using Multi-Factor Authentication.
  • Install and enable Antivirus software.
  • Implement mechanisms to prevent Phishing attacks.
  • Disable or constrain scripting environments and macros.

If the worst were to happen and a ransomware infection was to occur, organizations must take prior steps to help facilitate a quick recovery. These steps include:

  • Having up-to-date and tested offline backups. Offline backups are the most effective way to recover from a ransomware attack.
  • Ensure that a backup policy is drafted in accordance with the needs of the organization and that all staff adheres to the policy.

For those who typically follow cyberthreat news, these recommendations would have been read an awful amount of time. It is not just repetition for repetition's sake, but the above-mentioned mitigation strategies do work.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal