Ransomware attack forces Brit high school to shut doors
- Reference: 1737374581
- News link: https://www.theregister.co.uk/2025/01/20/blacon_high_school_ransomware/
- Source link:
Blacon High School in the historic city of Chester, in north west England, said [1]yesterday the attack hit on January 17, and didn't rule out having to shut its doors to students for additional days this week.
Students have not been given the day off, however. Teachers set work for them to complete on Google Classroom over the two days, although they can still visit the school to collect lunch.
[2]
No ransomware crew has claimed responsibility for the attack at the time of writing, and the school is unwilling to comment on whether any data was compromised as a result of the incident.
[3]
[4]
"We have an independent cybersecurity company working in school to understand exactly what has happened," headteacher Rachel Hudson said in a statement. "Until this is completed, I will not be able to provide any further details on any potential data breach."
Many of the school's IT systems are down, although Hudson said senior staff are working to create systems that will enable operations to continue.
[5]
Phone lines are also down, but a temporary number has been established if needed, and additional communication about the incident will be posted to the school's website and social media pages. Parents will also be contacted directly through the Parent Pay platform.
"I will update you as soon as we know more and will aim to open once again to students as soon as we can," Hudson said. "In the meantime, I ask for your support in helping students to complete work at home, especially for Year 11. Thank you for your patience and understanding at this time."
The attack on Blacon High School is the second major ransomware attack on the UK's public sector in a week after the Medusa gang hit [6]Gateshead Council two days earlier on January 15.
[7]
Unlike with the school, the criminals behind the council attack wasted no time in plastering their data leak site with stolen data. Medusa posted 31 pages and screenshots of stolen files, revealing personally identifiable information (PII) belonging to council residents and staff.
It also set a $600,000 ransom demand for the "deletion" of the council's data. Although cybercriminals typically make promises such as these, the prevailing belief among experts is that they are rarely honored.
Hudson said: "Unfortunately, cyberattacks like this are happening more frequently despite having the latest security measures in place. This has sadly been experienced by the NHS, National Rail, other public sector departments, and schools."
The NHS was battered by ransomware last year. The attack on pathology services provider [8]Synnovis over summer caused the most disruption, affecting thousands of appointments and [9]procedures at major London hospitals.
Then, in late November, INC Ransom pounced on Liverpool's [10]Alder Hey – northern England's premier children's hospital – days after an unconnected strike on [11]neighboring NHS hospitals in Wirral .
The news in Blacon also came in the same week as the UK government officially considering a [12]total ban on ransom payments made by public sector and critical national infrastructure (CNI) organizations.
[13]Medusa ransomware group claims attack on UK's Gateshead Council
[14]Enzo Biochem settles lawsuit over 2023 ransomware attack for $7.5M
[15]UK floats ransomware payout ban for public sector
[16]Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days
It's one of three proposals being explored over the next 11 weeks. Another approach being examined is to take the public sector ban a step further and require the biggest private sector organizations to apply for a payment license from the government.
The details are still being fleshed out but given the UK's close political ties to Australia, which recently adopted a similar rule in its Cyber Security Act, the UK may take after its Oceanic cousin and apply the rule to companies that meet a revenue threshold.
Public sector IT overhaul
While Blacon High School hasn't detailed the root cause of the ransomware attack, UK public sector organizations don't genrally have the same financial muscle as commercial businesses to spend on cyber defenses.
The government plans to release a [17]report on January 21 outlining the impact of archaic technology on the public sector. The report will examine matters such as productivity and public satisfaction with services, but also how outdated tech is contributing to the growing threat of cyberattacks.
The technology used by central government alone was found to be outdated in around 25 percent of cases, on average, while the worst cases saw this rise to 70 percent. The report will also say that a growing number of these antiquated systems are "red-rated" for security risk. For the UK's perpetually underfunded state schools, the position of security is likely to be worse.
Jake Moore, global cybersecurity advisor at ESET, said "Schools and other local government agencies often lack funding and consequently may not have the best protection for their systems which makes them soft targets.
"Schools frequently suffer from a lack in funding which can result in weaker network protection and the use of older systems, inadvertently making them susceptible to multiple cyberattacks.
He added: "There are now endless examples of educational systems and councils being struck in similar attacks and often there can be weeks of disruption which causes a knock-on effect to the wider community."
Following the publication of the government's report on archaic tech tomorrow, sweeping reforms are expected to be announced, with the implementation of these led by the Government Digital Service (GDS), which is set to be given more powers. ®
Get our [18]Tech Resources
[1] https://www.blaconhighschool.net/news/?pid=32&nid=2&storyid=55
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z46BOzfmiQq7f-id6OCOrgAAARg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z46BOzfmiQq7f-id6OCOrgAAARg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z46BOzfmiQq7f-id6OCOrgAAARg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z46BOzfmiQq7f-id6OCOrgAAARg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/01/17/gateshead_council_cybersecurity_incident/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z46BOzfmiQq7f-id6OCOrgAAARg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2024/06/20/qilin_our_plan_was_to/
[9] https://www.theregister.com/2024/07/05/qilin_impacts_patient/
[10] https://www.theregister.com/2024/11/29/inc_ransom_alder_hey_childrens_hospital/
[11] https://www.theregister.com/2024/11/28/wirral_nhs_cyber_incident/
[12] https://www.theregister.com/2025/01/14/uk_ransomware_payout_ban/
[13] https://www.theregister.com/2025/01/17/gateshead_council_cybersecurity_incident/
[14] https://www.theregister.com/2025/01/16/enzo_biochem_ransomware_lawsuit/
[15] https://www.theregister.com/2025/01/14/uk_ransomware_payout_ban/
[16] https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/
[17] https://www.gov.uk/government/news/archaic-tech-sees-public-sector-miss-45-billion-annual-savings
[18] https://whitepapers.theregister.com/
Re: Why should an IT outage necessitate shutting the school
Quite. We didn't have computers at school at all, not even non-working ones.
Re: Why should an IT outage necessitate shutting the school
Everything is IT driven in schools.
The register is online.
Lesson delivery often includes online resources (i.e. Moodle)
It can also be the fact that security, physical security, is ran through IT.
It's not all chalk and slates as it were in your day.
Re: Why should an IT outage necessitate shutting the school
If the teachers can't figure out how to take register without a computer then perhaps the first lesson they can't conduct without online resources can be rescheduled as some kind of emergency-survival problem-solving session where the students come up with madcap ideas for how to write down a list of names without modern technology?
Does anybody have.. paper?
We can use my shirt!
Good! Does anyone have something to write with?
We can use my blood.
10/10 for effort, but too melodramatic.
Can we get ink from a teabag..?
etc.
Re: Why should an IT outage necessitate shutting the school
If it's so easy why aren't you a teacher? Or better yet - get in touch with the school yourself and offer your services to them?
Re: Why should an IT outage necessitate shutting the school
Because anyone with a brain knows that working with kids is a liability..
Re: Why should an IT outage necessitate shutting the school
Back in the mists of time I was one of the part-time OU tutors, as was SWMBO who, incidentally, had been a school teacher before returning to University to do research. Th OU depended and very likely still does, on local colleges for premises for some tutorials. The OU year was very different from the traditional academic year and tutorials ran through the summer months when the colleges were normally closed.
From time to time the caretaker would fail to turn up to unlock the building and couldn't be found. What to do? Cope. It's summer, the weather's fine. We channel the ancient Grecian Academy and hold tutorials outdoors. At least I did. If it happened to SWMBO she just cancelled the tutorial and came home. I still don't know why. Maybe its a teacher thing.
Re: Why should an IT outage necessitate shutting the school
I'm not a teacher but I did on many occasions a) take register as a pupil myself because the teachers couldn't be arsed, and b) fail to be present in school when register was taken and suffer no adverse consequences. So I'm aware what a completely pointless tick-box joke the whole palaver is.
To cancel an entire school day because you can't verify which pupils are not cancelling their own school day is the very definition of cutting off your own nose.
Re: Why should an IT outage necessitate shutting the school
If that register is online and linked to a pile of other stuff (most our now) then it is not so easy.
Actually the register is only a small part of the issue and may not even be affected. If security systems are down then you simply don't have the staff to run the site.
Anyone who is tried to get into s school as a legitimate visitor during normal school hours should understand that.
Re: Why should an IT outage necessitate shutting the school
Exactly. It's nothing to do with the register. Most likely, because the phone lines and CCTV are down there's been some legally risk-averse decision that it's just easier to have kids schooled at home for a day or two. Maybe that's rational because online schooling is a decent fall-back these days, but let's not pretend it's somehow impossible for them to open up if they wanted to.
Re: Why should an IT outage necessitate shutting the school
"The register is online."
So they can't check a register. They can't take a register with the children at home - or maybe elsewhere. No effective difference.
"It can also be the fact that security, physical security, is ran through IT."
TFA says the children are allowed in to collect lunches so access is obviously not a problem.
Coping when the world lets you down is an essential human skill.
Re: Why should an IT outage necessitate shutting the school
Because else Google won't be able to track everyone cradle to grave...
You're not going to deny a billion-dollar company all of your kids private data now are you ?
Re: Why should an IT outage necessitate shutting the school
Things in schools likely to be controlled by computers in 2024:
The "register" (information management system in modern parlance).
Payments
Food ordering system
The secure fob/door system
All the next of kin/emergency contact/parent contact details etc
Pupil medical requirements/allergies/medication/etc
Fire/safety/risk/etc documentation
and so on...
Re: Why should an IT outage necessitate shutting the school
Quite. The most prominent are registration, catering (mostly biometric) and the facilities building-management-system (heating, potentially also water). With the best teaching will in the world it's a no-go if students are unaccounted for, cold, hungry and without toilets. ^^
Re: Why should an IT outage necessitate shutting the school
It's almost as though the systems controlling all those things should be air-gapped and not connected to the public internet.
Re: Why should an IT outage necessitate shutting the school
"catering"
TFA says pupils were allowed to go to school to collect lunch.
Re: Why should an IT outage necessitate shutting the school
So bang on the money it's shocking.
It wasn't that long ago that there was no IT medium in school unless you were exploring computer science!
IT outages are not an excuse for not delivering lessons.
Re: Why should an IT outage necessitate shutting the school
There are several issues.
It depends what is broken:
Is it related to safety such is ID & door entry systems or the register?
Is it related to teaching material?
On the first is security systems are down they will have no option but to close.
In terms of teaching it all depends on what is available and working. By the sound of it the use Google Workspace and this is currently functioning. If there is sufficient material to run lessons on that platform and teacher's laptops they can function online until the first is fixed.
Failure to Plan and Test for Computer Failure is ... Failure
No business continuity plan other than, "Kids stay home"?!! No way to manually record attendance and grades, and enter them into the system after recovery or re-initialisation?
Re: Failure to Plan and Test for Computer Failure is ... Failure
This is something I often lecture/consult on.
Reversionary Method of Operation.
It works, it takes a bit of work and planning, but if done right, is a great tool in your back up arsenal.
Not for everyone I know, but if you can't operate your business, it's going to impact customers and if you're regulated, guess who's coming next?
Re: Failure to Plan and Test for Computer Failure is ... Failure
"Not for everyone I know, but if you can't operate your business"
Mate: can I point out the bleeding obvious, it's not a business it's a sodding school. Children are not "customers"
Re: Failure to Plan and Test for Computer Failure is ... Failure
And you think that's an excuse?
Re: Failure to Plan and Test for Computer Failure is ... Failure
Posting A/C for 2 main reasons here:
1) I'm a school governor
2) I work for a cyber security vendor
For both of those reasons, I speak to a shedload of schools about cyber incidents. A modern school will probably have pretty much everything computerised from the register, the lunch payment system, the phone, fire alarms, CCTV, access control, building management systems etc on their LAN. Older schools - well, they're lucky if they are in a building that isn't falling down around their ears because it's that old and has had no money spent on it by any government since it was built in 1895.
Most of them don't have much in the way of a cyber incident plan, because most schools don't believe an attack will ever happen to them, as they have nothing a cyber criminal would want, and it's incredibly difficult to persuade them otherwise - even with my own LA, where I'm volunteering my own time to talk to people, it's seen simply as an exhortation to buy stuff/services they don't need....
When I speak at conferences, every school has a physical response plan to somebody coming in with a weapon or trying to take a child, because the children are the school's focus. Not their data.
Until school leaders get this message loud and clear, schools will keep having incidents. Oh, that and having the money to properly fund and resource those plans, that might help as well.
Re: Failure to Plan and Test for Computer Failure is ... Failure
Should all this be computerised, given the risks? If it should be computerised should some of it not be air-gapped?
> When I speak at conferences, every school has a physical response plan to somebody coming in with a weapon or trying to take a child, because the children are the school's focus.
Are schools actually able to stop someone coming in with a weapon, or taking a child? Do they have armed guards, for example? How often does this happen? Is it the case they have plans for something very unusual they cannot stop, but not for something higher risk that they can do something about.
I wonder whether it is just suspicion that they are being sold something they do not need, rather than a more general fear. I find a lot of people seem to regard cyber security, and reliability (even simple things like good backups) as a can of worms they do not want to open. Much easier to just hope it never happens.
Re: Failure to Plan and Test for Computer Failure is ... Failure
Schools SHOULD have an Emergency Plan which deals with intruders and other pyhsical threats
I have seen suich plans in action, though more for
a) dangerous dogs in the playing fields
b) hoax gun and bomb wanings
Re: Failure to Plan and Test for Computer Failure is ... Failure
With so much now delivered as SaaS because it is cheaper (in theory) there is simply not the resources or technical know how to air gap stuff.
In schools now it is very rare to have anything that is a traditional system running in the building. Now add in that the very limited number of IT staff are under paid, and therefore do not have the skills and over worked.
Re: Failure to Plan and Test for Computer Failure is ... Failure
Thank you for this post. Far better informed than much up-thread.
Folk don't seem to understand how a 21st C high school runs.
The main MIS integrates student, staff and room timetables, attendance (registration), year groups, pastoral groups, subjects, finance, salaries, assessment, qualifications
Schemes of work and lesson plans will all be computerised. Many, probably most, resources will be held virtually
Catering, trips, cleaning and caretaking will all be managed on computers.
In this case I would guess the main MIS is penetrated and that there is, therefore, evidence that all systems could be at risk as the MIS has least external contact.
Yes, I agree, many schools do not have adequate disaster recovery plans and as a fellow school Governor you will be aware of the debate - every pound spent on x is a pound that cannot be spend on education, but I am wondering what is happening here.
Has the school taken the view that keeping children learning off-site (as with the pandemic) is worth it for a few days. Perhaps the MIS cannot be accessed and registers printed until the vulnerability is identified.
Re: Failure to Plan and Test for Computer Failure is ... Failure
There clearly is something, maybe not a full blown plan because they are switching to online teaching where possible.
"Students have not been given the day off, however. Teachers set work for them to complete on Google Classroom over the two days, although they can still visit the school to collect lunch."
It is the second sentence.
Why should an IT outage necessitate shutting the school
Can't they get their workbooks and pens out?