Lost coursework and headaches

By Charles Parker, II

Sir John Colfox Academy is a secondary school in Bridport, Dorset in the UK. The school has 828 students, aged between 11 and 18.

Attack

On a fateful workday, much like any other, a staff member received an email. This was one of the hundreds of emails received on a weekly basis. This, however, claimed to be a colleague at another Dorset school. Not thinking a malicious person would have sent this, the staff member opened the email and clicked on the content on February 28, 2019. While this may have seemed innocent enough, the email actually appears to have been sent from China and forwarded from a server in Germany.

The click opened the door for the system’s infection. The network had an issue. The malware was reported as ransomware and, as expected, immediately began to encrypt the files. The attackers, as with the next step of the ransomware playbook, demanded money to be paid to them for the decrypt key.  The school consulted with a police expert regarding the substantial issue. After a review, it was noted the attack did not likely exfiltrate any school data, and staff, student and parent data were not on the system that was breached. The research into this indicated the attack may have been part of a much larger international operation.

Data

In particular, for this case, Year 11 students submitted their coursework. This coursework was saved on the school’s network. Due to the issue, the coursework in the subject was lost. While the description is short, the devastation is significant. The hope is the student’s had this backed-up somewhere.

Mitigation

The school is working with a particular exam board to resolve the issue. They are also working with the Dorset Police cybercrime unit. Although there was a demand for funds, no payment was made. This is generally the policy to take due to the second potential issue with just making the payment. The school had to notify the parents and sent a letter explaining the issue.

Discussion

Targets are generally attacked to compromise their systems to gain access to data for exfiltration or to extort funds from them. In the early days, these may have been more of an exercise, however, the attackers have operationalized the model. Ransomware has proven itself to be a completely popular, viable, and successful attack tool. Over the last four years, this has been very profitable for the attackers.

Lessons Learned

Ransomware is used so often, it is becoming redundant. The frequency is mostly due to the simplicity of the attack, the financial awards, and this tends to shut down operations until the fee is paid (not advised) or the issue is remediated through installing back-ups, and a thorough review to ensure nothing was left behind by the attackers they could use later for re-entry.

There needs to be continued training for the staff. This removed a significant portion of the opportunity for an issue. If the staff know what the usual forms of the attack are, these are less likely to be clicked on, and fewer systems would be infected. There also needs to be back-ups, which are regularly checked to ensure they are viable.

Resources

Hussain, D. (2019, March 14). Secondary school is being held to ransom after a ‘Chinese cyber attack’ caused the loss of year 11 student’s GCSE coursework Retrieved from https://www.dailymail.co.uk/news/article-6808845/Secondary-school-held-ransom-cyber-attack-caused-loss-students-GCSE-coursework.html

Sjouwerman, S. (2019, March 14). GSCE coursework lost in a ransomware attack on UK bridport school. Retrieved from https://blog.knowbe4.com/gcse-coursework-lost-in-cyber-attack-on-uk-bridport-school

Speck, D. (2019, March 15). GCSE coursework lost in a ransomware attack. Retrieved from https://www.tes.com/news/gcse-coursework-lost-ransomware-attack

Wakefield, J. (2019, March 13). GCSE coursework lost in a cyberattack in bridport school. Retrieved from https://www.bbc.com/news/uk-england-dorset-47551331

About The Author

Charles Parker, II has been in the computer science/InfoSec industry for over a decade in working with medical, sales, labor, OEM and Tier 1 manufacturers, and other industries. Presently, he is a Cybersecurity Lab Engineer at a Tier 1 manufacturer and professor. To further the knowledge base for others in various roles in other industries, he published in blogs and peer-reviewed journals. He has completed several graduate degrees (MBA, MSA, JD, LLM, and PhD), completed certificate programs in AI from MIT, other coursework from Harvard, and researches AI’s application to InfoSec, FinTech, and other areas, and is highly caffeinated. Charles Parker, II may be reached at charlesparkerii@protonmail.com.