We recently welcomed Lincolnshire-based Multi-Academy Trust (MAT) Voyage Education Partnership as a Community Ambassador at the East Midlands Cyber Resilience Centre. In 2019, they were victims of a ransomware attack... and they’re now sharing their story.

Voyage Education Partnership is made up of 9 schools, formally known as The Boston Whitham Academies Federation (BWAF). In October 2019 - under the BWAF moniker - cyber criminals successfully infected the trust with ransomware.

In a case study which should act as a cautionary tale for the education sector, Voyage are now sharing the story behind the ransomware attack, and how they got their feet back on the ground after a tumultuous period for them.

The ransomware attack, orchestrated by organised cyber criminals, resulted in the encryption of vital files and databases, effectively rendering them inaccessible to both their staff and students.

Fortunately, the severity of the situation was quickly realised when a member of staff discovered their files had been locked and encrypted late one Friday night. To prevent further infection, the rest of the school’s total network had to be immediately shutdown by the external server supplier. The subsequent network downtime caused significant disruptions as the trust were preparing for the return of its 3,500 pupils the next Monday morning.

It is believed that a member of staff unwittingly clicked on an attachment in a phishing email which contained a strain of malware called Emotet which, as discovered, infected the whole IT network. Emotet is a kind of malware used by criminals, originally aimed at stealing financial data, but it’s evolved to become a major threat to users everywhere.

Emotet phishing emails, like so many others, usually contain familiar branding designed to look like a legitimate email. It may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies

Even though fast action was taken to mitigate the attack, School operations were still impacted for at least a month, with the network being completely unavailable for a week. After that first week, devices were firstly dripped back to staff over two to three weeks, then the students' machines were worked on during the fourth and final week of the month-long outage.

Fortunately, they had flexible and dedicated staff who were happy to do extra work without access to their usual systems, while the IT experts worked tirelessly on restoring them.

This meant that teachers were faced with the challenge of continuing classroom instruction without the aid of technology. Each device had to be meticulously inspected to ensure that no traces of the ransomware remained, posing a potential threat to the newly restored system.

Furthermore, the loss of access to online registers caused further disruptions, necessitating the distribution of paper registers to classrooms for teachers to manually fill out.

In addition to academic hurdles, administrative staff faced their own set of challenges. The trust's cashless system for school lunches, which typically relies on digital transactions, was temporarily rendered ineffective due to the system shutdown. As a result, staff had to revert to accepting cash payments during break and lunch times, significantly slowing down the overall process and causing inconvenience for both students and staff.

Luckily, the financial cost impact of dealing with the incident was minimal, as the trust had sufficient IT staff in place to remediate, meaning no external contractors were needed to be brought in.

Determined to prevent future cyber attacks and improve the overall cyber security posture of the trust, the Voyage Education Partnership embarked on a transformative journey.

In 2021, the trust underwent a rebranding process. Under the leadership of a new CEO, and a Digital Services Manager, the trust recognised the urgent need to revamp its systems and decided to invest £300,000 into the development of a secure Wide Area Network (WAN).

Wayne Oldfield, who was appointed Chief Operating Officer in Summer 2020, made cyber security a top priority. Guided by the principle of being "secure by design," the trust formulated a detailed specification for the new system.

Joining the team as the Digital Services Manager, Luke Vere spearheaded the design and implementation of the trust's new WAN. The project, named Gen2, involved migrating data from an off-site data centre to the trust's own data centre and cloud services.

In addition, a robust firewall was installed, and over 2,500 devices underwent reinstallation, ensuring they were equipped with the latest security updates.

The outcome of this ambitious project was the establishment of a resilient and secure system across all 9 schools within the Voyage Education Partnership.

The revamped system incorporated redundancy and failover mechanisms, ensuring uninterrupted operations even in the face of potential threats.

A significant achievement resulting from this project was the trust's attainment of Cyber Essentials Certification, a testament to its commitment to maintaining robust cyber security practices.

Since the launch of the new system, the trust has achieved an impressive 100% uptime, providing a stable and secure learning environment for its students and staff.

The education sector remains a major target for cyber criminals based on the information they hold and the outdated systems of some schools.

Not all schools have the funds or the expertise to carry out such an extensive overhaul. Here at the Cyber Resilience Centre, we are able to help schools and businesses no matter their budget or expertise.

We offer an information pack filled with guidance and advice to help better protect schools against the threat of cyber criminality, and we also offer free security reviews and affordable services including Staff Awareness Training - which helps staff understand their working environment, giving them the understanding to identify phishing emails and speak up when something doesn’t look right.

The training is focused on those with little or no cyber security or technical knowledge and is delivered in small, succinct modules using real world examples, and includes a whole section on how to spot phishing or fake emails, like the one the Emotet malware would have arrived on.

We also offer Cyber Business Continuity Exercise. This service offers a review of your business continuity planning and the resilience of your organisation to cyber-attacks such as ransomware.

For any further information, please get in touch with the team.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).