Ransomware attack forces high school in London to close and send students home

Avatar

A high school in south London has announced it will be closed for the first half of this week due to a ransomware attack, leaving approximately 1,300 students in the lurch.

Students were sent home from the Charles Darwin School on Thursday, with a letter from the headteacher Aston Smith following them on Friday to warn parents that the IT issue students had been told of was “worse than hoped” and actually a ransomware incident.

The letter confirmed that the school would be “closed Monday, Tuesday and Wednesday” as “all staff devices have been removed to be cleansed” and teachers will need time to re-plan lessons, while senior staff will have to create systems to continue running the school.

“All students have had their [Microsoft] 365 accounts disabled as a precaution. If you receive an email from an unusual email address we ask that you are vigilant. We will never send any attachments or links during the recovery process,” the letter stated.

It added that the school might have to take further measures based on new information in the weeks ahead and warned “there is the potential for all information held by the school to have been accessed.”

An unnamed cybersecurity company is currently completing a forensic investigation, said the school, but the headteacher warned that until this is completed he would not be able to provide further details on the data breach.

“Unfortunately cyber-attacks like this are happening more frequently despite having the latest security measures in place. Our understanding of our situation is that it is similar to what was experienced by the NHS, Transport for London, National Rail, other schools and public sector departments,” stated the headteacher.

The attack comes just as schools in the U.K. start the new year, and follows a spate of ransomware attacks against educational institutions last year.

Ransomware attacks on the education and childcare sector in the United Kingdom have reached record levels in recent years, with 126 incidents reported to the Information Commissioner’s Office in 2023 — more than in any year prior.

A further 27 attacks were also reported to the ICO in just the first quarter of 2024, more than double the number of incidents that were reported in the same quarter in the previous year.

Multiple schools, including Wymondham College, the largest state boarding school in the country, and Tanbridge House School in West Sussex, were hit by cyber extortionists who threatened to release stolen data unless a ransom fee was paid.

Previously, the LockBit ransomware group attempted to extort a school for children with special educational needs.

Criminals have also published documents from Guildford County School that appeared to include safeguarding reports — the sensitive internal documents teachers write to record information about at-risk students.

Asked previously about the number of attacks impacting schools, a spokesperson for the Department for Education told Recorded Future News that the department monitors cybersecurity incidents closely and that there is no evidence to suggest attacks are on the rise.

They did not respond to a question about the latest incident.

Britain’s lead authority on cybersecurity, the National Cyber Security Centre (NCSC), first issued an alert to schools about ransomware attacks in September 2020, warning of “an increased number of ransomware attacks affecting education establishments in the U.K., including schools, colleges, and universities.”

The alert page states that it has been updated several times since then due to further ransomware attacks.

The NCSC continued to reference an increase in attacks as recently as last month when it published a survey finding that “despite an increase in the number of ransomware attacks” schools were becoming “better prepared” to deal with these incidents.

This preparation includes protecting IT networks but also focusing on a quick recovery from the incident itself.

The cybercrime group known as Vice Society has been behind a spate of ransomware attacks targeting educational establishments in Britain and around the world. The criminals extort their victims by stealing sensitive data and threatening to release it unless a ransom is paid.

Last year the Hive ransomware group demanded £500,000 (about $608,000) from two schools in England following an attack. In January, law enforcement agencies in the United States and Germany announced they had “hacked the hackers” and taken down the infrastructure used by the Hive gang.

BBC News previously reported that highly confidential data stolen from 14 schools in the U.K. had been published by the group. In several situations the schools did not inform students and staff that their data had been published on the leak site.

Ransomware attacks have also been a widespread problem for U.S. educational institutions, including recent incidents in the Los Angeles Unified School District and systems in Iowa and Massachusetts. Hackers compromised the personal information of nearly 100,000 people from an entire school district near Washington, D.C., earlier this year.

CybercrimeNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.

 

Total
0
Shares
Previous Post

Poland dismantles cyber sabotage group linked to Russia, Belarus

Next Post

UK National Crime Agency, responsible for fighting cybercrime, ‘on its knees,’ warns report

Related Posts

OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf

The Iranian threat actor known as OilRig has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a cyber espionage campaign targeting the U.A.E. and the broader Gulf region. "The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities
Avatar
Read More