Why Jisc members shouldn’t pay ransomware demands

Steve Kennett

This week, the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) have warned against paying ransomware demands . We wholeheartedly support this stance and offer the same advice to Jisc members – colleges, universities and research centres.

An IT worker holds his head in his hand and looks distressed in front of his computer screens.

Over the past couple of years, ransomware has become big business across the globe and across all sectors, including education. Showing willingness to comply with the demands of these highly organised criminal gangs will only add fuel to that already blazing fire.  

Reasons not to pay 

Many Jisc members, particularly the more under-funded further education colleges, don’t have the means to pay a ransom, but that doesn’t stop cyber criminals from trying to extort money.  

Issuing a demand can provide an opportunity for attackers to demonstrate the extent to which they have infiltrated systems and exert leverage through the fear factor. For example, one college received a demand for the exact amount in its bank account.  

There have also been instances where attackers have sought out backups in order to hamper recovery and apply further pressure on the victim organisation to give in to their demands. 

For those that can afford to pay out, I strongly urge them not to give in. There are several reasons for this:  

  • There’s no guarantee that once a payment is made, stolen and encrypted data will be restored 
  • Even if data is returned, anything of value could have been copied and touted for sale on the dark web
  • Any organisation that has suffered a ‘successful’ ransomware attack is seen to be weak and may well be targeted again
  • While making a ransomware payment is not, currently, unlawful, there is a duty on education organisations not to contribute to criminal gain 

The points above aren’t just suppositions. We know of two UK education providers that were hit by ransomware attacks and their stolen data was posted for sale on the dark web. Personal information and login credentials, for example, can be bought cheaply for the purposes of identity theft. 

During our work to support members experiencing ransomware attacks, Jisc has come across a couple of instances when insurance company representatives suggested paying up. Our advice has always been to the contrary, for the reasons cited above, which is why I was heartened to read of the NCSC and ICO’s letter to the Law Society on 7 July.  

It said there is evidence of a rise in ransomware payments and solicitors may have been advising clients to pay in the misguided belief that doing so will keep data safe or lead to a lower data breach penalty from the ICO. 

Impact on the education sector 

Our sector has experienced a sustained increase in ransomware attacks since the late summer of 2020. A total of 15 further and higher education providers were impacted by ransomware in 2020, eight of them during the crucial period of clearing and enrolment. A further 18 were hit in 2021 and we’ve recorded 11 so far in 2022. 

Ransomware is now the top threat identified in Jisc’s 2021 cyber security posture survey of FE and HE providers – and I’ll be surprised if this changes when the 2022 survey is published in November. 

This is a very serious threat to our sector and one which the NCSC has repeatedly warned against.  On many occasions, Jisc has urged the sector to take urgent action to put in place measures to safeguard against ransomware and other forms of cyber-crime – and yet colleges and universities are still suffering crippling attacks.  

As our updated cyber impact report shows, the fallout can be catastrophic, with some institutions losing their entire digital estates, including back-ups. In terms of financial costs, we’ve heard from education providers which have reported costs upwards of £2m.  

Preventing attacks 

The mass migration to remote working and studying during the pandemic inadvertently opened institutions to attack. Insecure configuration of the remote desktop protocol (RDP) for example, was a key factor in ransomware attackers gaining initial access to victims’ devices.  

This underlines the importance of putting in place basic security controls, such as making sure systems are patched and up to date, and that all staff and students are using multi-factor authentication. But, really, responsibility and accountability for cyber security sits with senior leaders, who should have strategic oversight of the risks and governance required to maintain a robust security posture. 

Further information 

Get involved

Join our defend as one campaign and help us unite higher and further education in a common cause - to build robust defences across the sector. As a member, you can sign up to receive personalised instructions on how to improve your cyber security posture across your organisation.

About the author

Steve Kennett
Former executive director, security (CISO), Jisc

Steve Kennett left Jisc in October 2022