Education targeted Ransomware attacks

Schools are increasingly being targeted by cyber criminals. The latest approach is for the criminals to ring the school claiming to be from the Department of Education (remember it's the Department for Education) and asking for the email details for the head teacher/ finance administrator. The fraudsters then claim that they need to send guidance forms to the head teacher (these so far have varied from exam guidance to mental health assessments). The scammers on the phone will claim that they need to send these documents directly to the head teacher and not to a generic school inbox, using the argument that they contain sensitive information. The emails will include an attachment – a .zip file (potentially masked as an Excel or Word document). This attachment will contain ransomware, that once downloaded will encrypt files and demand money (up to £8000) to recover the files.


Ransomware is malicious software designed to block access to your computer system or files until a sum of money is paid. Ransomware is downloaded to a computer either via an email containing an infected attachment or malicious link, or from a malicious website which exploits vulnerabilities in your computer's software. Ransomware can spread from device to device across a network and even to data stored in the cloud (Google doc, Fropbox etc.) synced to the infected device.

Traditionally, most ransomware attacks were directed at individuals and demanded relatively small payments to restore the user's access to his or her system. Individual home users are soft targets - most don't back up their data or keep their software up to date. They have no cyber security education and little awareness of online safety. And there's a lot of them willing to pay a small ransom in order to get their access back to their holiday photos, videos of the kids in the school play etc.

More recently, cybercriminals have turned their attention to schools. Schools are seen as soft targets for pretty many of the same reasons as individuals are; poor cyber security education, insufficient cyber security measures and software that isn't updated and a 'it won't happen to us' mentality. For the criminal there's also the addition bonus that schools hold a lot of personal, sensitive data that they can't afford to lose and that in order to protect their reputations and get their data back school managers are likely to pay. 

How bad could it be?

One school in the north of England suffered a ransomware attach. They were locked out of every (administration and curriculum) device connected to the network. They quite rightly refused to pay the ransom. The school was closed for a week whilst the network was disinfected. 

What can you do to avoid a ransomware attack?

Ransomware attacks rely heavily on human behaviour. Someone needs to click a malicious link or open a malicious attachment to trigger the attack. So first and foremost, be vigilant. Learn to spot phising emails and potential ransomware attacks.

  • Is the email from a known sender?
  • Are you expecting the email/attachment?
  • Is the email address suspicious? i.e. from: Kathy Smith<>
  • If your are asked to click a link again does the URL www.lloydsbank/ look suspicious?
  • Are there grammar or punctuation errors that you wouldn't expect?
  • Test the link at 

(Of course, in the example at the head of this post the scammers using social engineering to throw you off the scent. By making the phone call they ensured that the email and its attachment were expected!)

There are, of course technical precautions that you should also take:

  • Don't neglect your device or network. Keep operating systems and software updated and invest in some good,  anti-virus software for local devices as well your server.
  • Back up your data files to an external hard drive and to cloud service such as Google docs or Dropbox. Do this frequently!
  • After backing up, unplug the hard drive and don't leave your cloud storage/ backup on by default. Turn it on to complete the back up/ access a file then turn it off.
  • If you don't use macros in Excel or Word turn them off. Likewise remove old and used plug-ins in your browser.

What should schools do if they are attacked?

  • Turn off the device and disconnect it from the network
  • Contact your ICT support provider
  • Report the incident to the police at or 0300 123 2040

Should you pay the ransom?

That's up to you but bear in mind that paying the ransom doesn't necessarily mean that the scammers will give you access to your data or that they wont attack again.

Want to know more?

You could download the advice that Coventry City Council have produced for their schools.



Latest from the Blog