An IT worker holds his head in his hand and looks distressed in front of his computer screens
Creative Commons attribution information

Ransomware attack: what we learned and how we recovered

The education sector is in the grip of an unprecedented spike in ransomware attacks. Staff at Dundee and Angus College know only too well the impact of such an attack, having been devastated  in January 2020, after an unpatched endpoint was breached. 

Now, 18 months on, staff reflect on the harsh lessons, but also the opportunity that emerged to rebuild the digital estate better and stronger.  

Andy Ross, head of ICT at the college, says:

“The attack happened in the early hours one Friday, so by the time we arrived for work the damage had been done. All our core systems to do with the day-to-day running of the college were impacted - about 90% of the digital estate - so everything stopped.  

“However, any cloud-hosted services, including the virtual learning environment (VLE) were intact and continued to function. 

“We needed to build everything else from scratch and, in the process, identify and remove security weaknesses. 

“Since February 2019, the college has embarked on a cloud-first strategy, so Office 365 for example, was still working, but at the time of the attack, the vast majority of services were still in on-premise data centres, which put us at risk of an attack heavily impacting the college.” 

Recovery planning 

Jisc’s computer incident response team (CSIRT) investigated the attack and produced a list of recommendations to boost security.  

During the weekend immediately following the attack, Ross says the IT team worked “just about every hour of the day”, building back the core network and, by Monday morning, staff and students were at least able to log on. Most essential services were running again within a week or two. 

Then the team were able to start planning the rebuild. Ross explains:

“We looked at the operational plan and thought about how we could improve each of our services in future.  

"The plan was always to retire on-premise services and introduce cloud services over a couple of years but after the attack the executive team agreed to bring forward that plan.   

"For example, we introduced OneDrive overnight. There's an immediate benefit to that from a cyber resilience point of view, and it really helped students and staff who were working remotely because they were able to access their materials from home, from any device.  

“The intention is that, within the next three to five years, we will be entirely in the cloud. Our backup solution is now cloud-based and goes to a data centre in London. Even our administrators can't touch it, so it's as safe as it can be. 

“And when we’re renewing services or buying new ones, we look for the software-as-a-service (SaaS) solution, or the platform-as-a-service (PaaS) solution.  

“As part of that, we’ve chosen the Jisc security information and event management (SIEM) service, so we can leverage the knowledge of Jisc experts to help us monitor traffic and alert us to any issues. We also recruited a dedicated cyber security engineer to monitor systems and produce a quarterly report of actionable recommendations. 

“Multi-factor authentication (MFA) was in the plan before the attack, but the importance of doing that jumped up the priority list. Now all our students and staff are using it ahead of the original schedule. As a next step, we’re now looking at a zero-trust approach and better controlling systems access.   

“Our incident response plan has been updated since the attack, as you would expect, and we’re testing that by running a series of tabletop exercises this year.”    

Recognising the risk of human error to cyber security, compulsory security awareness training for staff has been introduced, and a similar course for students is on the cards. Mock phishing emails also targeted staff, allowing Ross’s team to individually advise the 10% who were duped.     

Support from the board 

While business continuity insurance covered a lot of the costs, the attack still had a considerable financial impact because of loss of income during the period the college was closed. 

The board and executive, says Ross, were very supportive.

“There was buy-in before, especially around the benefit of moving towards the cloud, but there's a lot more awareness of the importance of cyber security now, and our leaders are asking more questions. 

“The attack has focused minds and we've certainly been given much more freedom to purchase and procure better solutions to support security, increasing the long-term budget for ICT.” 

Ross reckons it was six months before the recovery process was complete and, while he's confident the college’s security posture is in much better shape, dealing with the attack has left its mark.  He says:

“There isn't a day that goes by when I don't look at my phone as soon as I wake up checking for notifications. I don’t ever really switch off, but I’m happy that an attack from the same vector would no longer be successful and the mitigations put in place should limit the impact of future attacks.  

 “Ransomware is impacting all sectors, world-wide, but the frequency of attacks targeting educational institutions is a concern. Don’t underestimate the impact these attacks can have on day-to-day business. 

"I’d love to tell my board members that this isn't going to happen again, but it's just a matter of time before it does, and ensuring that you can mitigate the impact, recover quickly and get services up and running as fast as possible is essential.” 

To hear more from Andy Ross, sign up for free to attend Jisc’s security conference (9-11 November), where he and a colleague will be talking further about their ransomware experience.