back to article Ransomware sleazeballs target UK schools

Cybercrooks are targeting UK schools, demanding payments of up to £8,000 to unlock data they have encrypted with malware. Action Fraud warns that fraudsters are cold-calling schools claiming to be from the Department of Education and asking for the head teachers’ email addresses. Crooks then send booby-trapped emails with …

  1. Anonymous Coward
    Anonymous Coward

    but can restore their data smoothly in the event of a ransomware incident,

    And there is the crux of the matter - using a tested backup for the restore process. Now if a certain London university had tested backups maybe they wouldn't have had so much grief.

  2. Doctor Syntax Silver badge

    cold-calling schools claiming to be from the Department of Education and asking for the head teachers’ email addresses

    "It's our policy not to give such information over the phone. Please write." should be the standard response. Making it should be a reflex action.

    1. DNTP

      Re: standard response

      I've said it before: the point at which this great idea fails is the point at which a management higher-up decides the security rules don't apply to him, then gets some poor first-line rep sacked for insisting on protocol. Good luck getting anyone to follow the protocol after that.

      1. billat29

        sleazeballs target UK schools

        Let me see:

        Department FOR education

        standard for head's email is head@

        DfE have it anyway.

        Oh wait!

        Andrew Stuart, managing director of backup and disaster recovery vendor Datto.....

        another El Reg advertorial

        1. Lazlo Woodbine Silver badge

          Re: sleazeballs target UK schools

          That's the case for Primary schools, for secondary schools there doesn't seem to be any consistency

          1. katrinab Silver badge

            Re: sleazeballs target UK schools

            Most primary schools have a headmistress rather than a headmaster.

      2. Doctor Syntax Silver badge

        Re: standard response

        "I've said it before: the point at which this great idea fails is the point at which a management higher-up decides the security rules don't apply to him"

        It's up to senior management to set the policy. If they don't set it and follow it they've nobody else to blame.

    2. Danny 14

      Or just look on the website where there is usually an email address. Or just headmaster@schooladdress.sch.uk

    3. x 7

      "It's our policy not to give such information over the phone. Please e-mail."

      FIFY

  3. Lazlo Woodbine Silver badge

    Called me twice this week

    Got a call from these bastards on Wednesday.

    "Hello this is Mary from Department of Education, I need to contact your IT manager, can you let me have his email address."

    "If you're really from the Department for Education then the should already have our proper contact email details,"

    She put the phone down.

    She called back on Thursday

    "Hello this is Mary from the Department of Communications, I need to contact your IT manager, can you let me have his..."

    I didn't let her finish the sentence.

    Note to scammers:

    It's the Department For Education, not Of

    There is no Department of Communications...

    1. Anonymous Coward
      Anonymous Coward

      Re: Called me twice this week

      Good work, Agent Woodbine! It seems she slipped up and let her real name out. Now, we just need to track this Mary down and she's nicked! I'll alert Inspector Tiger of Scotland Yard straight away! Bob's your uncle!

    2. Doctor Syntax Silver badge

      Re: Called me twice this week

      "If you're really from the Department for Education then the should already have our proper contact email details,"

      She put the phone down.

      For occasions like this, keep a list of addresses of the more recent SEO etc spammers from your junk folder. They're all in the same line of work, no reason why they shouldn't occasionally be introduced to each other.

  4. Anonymous Coward
    Anonymous Coward

    Stop using Windows, at least run it in a VM so you can use snapshots etc.

    1. Martin Summers

      Meanwhile, back in the real world...

    2. DNTP

      Your suggestion is often equivalent to fixing one little bolt on a machine that has numerous more fundamental flaws. It might not be a bad idea in the abstract, but a company with an extremely hardened IT system is still vulnerable without an institutional culture trained and enforced to match.

  5. Anonymous Coward
    Linux

    Cybercrooks are targeting UK schools

    Cybercrooks are targeting UK schools .. how exactly .. please provide technical details?

  6. John H Woods

    Stop with the network shares please ...

    It seems to me that nearly every network share I have ever come across would have been more useful as a version control system than a big dumb file storage area. Even before ransomware became a big issue, the increased auditability and resistance to user error seemed compelling advantages.

    If I had to secure a network share, in the quickest and cheapest possible manner, I'd think about scheduling a job to nondestructively* copy all the files in it to a nonshared filesystem on a regular basis.

    It's not a substitute for regularly made and regularly tested backups, but it might expedite getting prior copies of ransomed files back.

    * using some system to prevent existing files being overwritten with new versions (even just something like rsync --backup --suffix `date +%Y%m%dT%H%M%S` would do the trick)

  7. cantankerous swineherd
    Trollface

    these guys are to be commended. destroying data held by schools will improve civil liberties and the quality of education.

  8. Anonymous Coward
    Anonymous Coward

    What are the system requirements for this malware? Microsoft Windows ?

  9. 0laf

    Up here

    North of the wall all state schools are run directly by local authorities which (should) mean proper backups are in place and any ransomware attack is doomed to be an irritation rather than a disaster.

    I've heard some real horror stories from guys in the south about free schools i.e. IT run by the pupils. I wouldn't be shocked to find out some of those schools has paid up in ransomware attacks.

    Smaller independent schools are probably at much greater risk as well.

    1. Andy The Hat Silver badge

      Re: Up here

      South of the wall the divide and conquer Academy system means that some schools have IT management others just have old computers on desks that a computer pixie will fix at some point - usually just before Ofsted are due ...

      Watching a finance manager literally building a new workstation on his desk with not even a nod to the god of static but knowing your pay packet relies on that machine makes the skin crawl a bit ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • FBI, CISA: Don't get caught in Karakurt's extortion web
    Is this gang some sort of Conti side hustle? The answer may be yes

    The Feds have warned organizations about a lesser-known extortion gang Karakurt, which demands ransoms as high as $13 million and, some cybersecurity folks say, may be linked to the notorious Conti crew.

    In a joint advisory [PDF] this week, the FBI, CISA and US Treasury Department outlined technical details about how Karakurt operates, along with actions to take, indicators of compromise, and sample ransom notes. Here's a snippet:

    Continue reading
  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading
  • Ransomware encrypts files, demands three good deeds to restore data
    Shut up and take ... poor kids to KFC?

    In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we're told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.

    The so-called GoodWill ransomware group, first identified by CloudSEK's threat intel team, doesn't appear to be motivated by money. Instead, it is claimed, they require victims to do things such as donate blankets to homeless people, or take needy kids to Pizza Hut, and then document these activities on social media in photos or videos.

    "As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons," according to a CloudSEK analysis of the gang. 

    Continue reading
  • Costa Rican government held up by ransomware … again
    Also US warns of voting machine flaws and Google pays out $100 million to Illinois

    In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica's government if a ransom wasn't paid. This month, another band of extortionists has attacked the nation.

    Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica's Social Security system, and also struck the country's public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.

    The Costa Rican government said at least 30 of the agency's servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Healthcare organizations face rising ransomware attacks – and are paying up
    Via their insurance companies, natch

    Healthcare organizations, already an attractive target for ransomware given the highly sensitive data they hold, saw such attacks almost double between 2020 and 2021, according to a survey released this week by Sophos.

    The outfit's team also found that while polled healthcare orgs are quite likely to pay ransoms, they rarely get all of their data returned if they do so. In addition, 78 percent of organizations are signing up for cyber insurance in hopes of reducing their financial risks, and 97 percent of the time the insurance company paid some or all of the ransomware-related costs.

    However, while insurance companies pay out in almost every case and are fueling an improvement in cyber defenses, healthcare organizations – as with other industries – are finding it increasingly difficult to get insured in the first place.

    Continue reading

Biting the hand that feeds IT © 1998–2022