Ransomeware Attack

Situation: A large local Secondary School Academy Trust in the UK was subject to a ransomware attack in the early hours of a Friday morning. A number of their key servers containing vital management information (such as the Student Information System with attendance, contact and assessment data) and controlling core school functions (such as their controlled physical security system) had been encrypted, and a ransom demand made.

3B Data Security had been contacted by the local Cyber Resilience Centre by 14:00 on Saturday of the same week, after the school had consulted them and requested assistance. One of our Security Incident Managers attended a face-to-face meeting with the client within 45 minutes (handily they were local to the school).

Task: Tasking was determined by the operational mission and constraints on the school. They had no expertise in dealing with such incidents and limited internal IT resources to handle the situation. They did however have very strong (and tested) emergency resilience protocols and plans in place that made managing the recovery phase relatively painless.

The objectives were agreed early on in terms of no engagement with the attacker, cleaning the environment and ensuring security hardening was applied to prevent repeat attacks. Where possible the points and methods of ingress were to be investigated.

Actions: During the initial meeting the Security Incident Manager created a plan with the client’s Head Teacher and IT Director which addressed three strands of activity, incident response (containment and eradication), incident analysis (forensic investigation and threat analysis) and incident recovery (enabling the school to resume normal operations in a phased manner from the following Monday).

Initial triage confirmed that the ransomware was a new variant of REvil (Sonidokibi) ransomware, which had a different decryption key to the previous variants of that strain of malware (which had been recovered as a result of the attack on Kaseya).

Two key devices were taken into custody for forensic imaging and analysis, as the likely ingress point for the malware. These were taken to the laboratory and imaged overnight on the Saturday, with analysis commencing early on the Sunday morning. A team of two incident response professionals were deployed to the school site to work alongside the client’s IT team firstly on containment and eradication and in parallel on recovery operations.

Recovery options were conducted whilst ensuring that the school was able to continue with providing education to pupils from the Monday morning, and minimising disruption whilst recovery efforts continued. Tasking included identifying and scanning all data sources in use (in excess of 10TB of data), backing this up securely, wiping & restoring teachers’ laptops (approximately 200 devices) and checking and performing the other devices across the administration and estate. Throughout the engagement regular updates were provided to the client’s team, and formal updates provided to the Board of Governors.

On conclusion of the incident response, analysis and recovery operations, a ‘lessons learned’ session and recommendations on future practices, policies and procedures was conducted with the client’s team and the Governors.

Results: At the early stage of the incident, the school was enabled to continue teaching and learning operations, and progressively IT infrastructure was returned to use within the environment. In line with Department for Education guidelines and best practice, no engagement was conducted with the REvil group on the ransom. The school received full remediation support to implement remediation plans over the following weeks to ensure the environment was hardened and more secure.