The UK education sector needs to learn some urgent lessons following a spate of Vice Society ransomware attacks, explains Bill Mew
As the top digital economies, the US and UK attract the largest number of cyber attacks, according to a recent report by Malwarebytes. While the US attracted the largest number of attacks between April 2022 and March 2023, seven times more than the UK, this was roughly in proportion to the greater size of its economy.
Notable among the pattern of attacks in the UK over this period, was the was the largest known ransom demand to date – $80 million demanded from Royal Mail, as well as the fact that the education sector was hit far harder than in other countries. Malwarebytes attributed most of this to a single ransomeware gang, Vice Society, which targets the UK education sector.
I was fortunate enough to meet up with Mark Stockley, Senior Threat Intelligence Researcher at Malwarebytes, at the recent Infosec Europe event in London. He took me through their research and highlighted how over the last 12 months, the education sector had been the target in 16% of known attacks in the UK, but only 4% in France and Germany, and 7% in the USA.
He explained that LockBit was the main tool used in 31% of known attacks globally, 3.5 times more than its nearest competitor, ALPHV. However in the UK, while Lockbit was again the tool in most common use, Vice Society came a close second. Not only does Vice Society have a particular focus on the UK, of its known attacks in the UK over the last 12 months 76% hit the education sector, meaning that Vice Society was responsible for 70% of known attacks on UK education institutions.
Vice Society uses familiar techniques such as phishing, compromised credentials, and exploits to establish a foothold and it is known to use legitimate software in its attacks, to avoid detection by security tools.
Why us?
The UK education sector might well question why, with an entire world of targets to choose from, ransomware gangs like Vice Society have singled it out for disproportionate attention. After all, it does not have the resources to meet ransom demands and it might well argue that such attacks are a real kick in the teeth. That said, the threat is very real and action needs to be taken.
This comes at a time when the UK government has unveiled plans to expand, merge or create new multi-academy trusts that will see an unprecedented level of restructuring. If this is not to be a distraction from the current cyber threat, then these plans need to include resources for employing far greater rigour in cybersecurity. This could well entail the need to rethink, reskill and retool their approach to ransomware to fend off the determined attentions of attackers who smell an opportunity.
It should also be taken as a warning to other under-resourced government entities in the UK that might be next on the hit list – from local authorities to NHS Trusts.