Ransomware-struck schools reject £1m demand from crims in timely reminder to always mind the air-gap

An independent schools group in Wales was hit by a ransomware attack in September, during which the perpetrators deleted files belonging to staff and pupils, and encrypted Veeam onsite backups held on disk and tape.

The attackers used Sodinokibi ransomware to penetrate the IT systems of Haberdashers’ Monmouth Schools – which is comprised of five schools – and demanded £500,000, rising to £1m after six days, to decrypt the data.

The malware variant penetrated the schools through a domain admin account, working its way through the main infrastructure to knock out file servers, Exchange, and SQL servers.

Haberdashers’ School, Monmouth

In a soon-to-be-published case study, Haberdashers’ Monmouth Schools’ IT director Fred Welsby said the attackers “had found all the devices and servers on the network, created a domain admin account and started trawling through our data to see what was valuable to us. There was nothing they couldn’t do.

“We did have… backup software on-premises – and one of the backup servers was on domain. That was fully encrypted, so they hit our backup systems as well.

“I came into work to find my engineer calling it ‘a disaster’. Nobody could log onto any computers. Teachers and pupils had no access to any of our services, databases or email systems. Basically it was back to paper and pencil.”

Fortunately, the schools had a second line of defence. After previous malware attacks, Welsby had arranged to store backups offsite in a Redstor cloud facility. These comprised 15TB of data stored in encrypted form in a geographically separate data centre. The ransomware gang was unable to attack this.

Following the attack, Welsby called Redstor, a UK cloud data management provider. The company restored a SIMS (Schools Information Management System) server and Pass server into VMware. Welsby said: “We were able to recover that server to the previous day with Redstor, so the loss of data was very minimal. The cloud backups were unaffected and were critical in restoring our systems.”

He said having offsite backups was an “absolute godsend”.

Computerworld, a Bristol-based reseller and Haberdashers’ Monmouth’s main IT provider, helped get the school’s most important services up and running, including on-premises hosted email and Microsoft 365 authentication.

The schools’ IT director said: “It was a very bad attack, but it could have been a lot worse. Had we not had a cloud backup system, we would have been with very limited services for a month or longer.”

Haberdashers’ survived the attack with a day or so of downtime and no need to pay the ransom. Its experience shows that onsite backup alone is not sufficient for ransomware data protection. To ensure a truly robust defence, make sure you also air-gap your data to a separate date centre.

Famously, in the case of an embarrassing ransomware attack at the University of California San Francisco in June this year, the uni had a data protection deal in place that was both immutable and not accessible over the network. However, it didn’t actually use it on the affected systems. This led the institution to cough up a whopping $1.14m in bitcoin to recover the encrypted files after a certain number of servers within its “School of Medicine IT environment” were locked up, presumably along with valuable research, by criminal hackers.

So if there is an additional protip to be had besides actually having an offsite, airgapped backup system, it is: switch the darned thing on

Veeam declined to comment on this ransomware attack.