Newcastle Grammar School reveals post-mortem of ransomware infection

Newcastle Grammar School’s IT systems were “so badly damaged” in a ransomware attack late last year that forensics investigators could not establish how or where the attack began.

The NSW school’s head Erica Thomas provided a post-incident report of sorts on the attack via a video published by its cyber insurance provider Aon Australia last week.

It was reported at the time that attackers had encrypted and “destroyed” the school’s IT systems before trying to extract a ransom.

Thomas said that the infection occurred on a Saturday morning as she interviewed prospective staff for the 2021 school year.

“I was online doing that, and I realised that things were disappearing in front of me and I needed to make some calls very quickly,” she said.

“Our IT staff were very quick to respond, and my IT manager within a few minutes rings me back and says, ‘We’ve got an incredible problem’. 

“What he was looking at was the system being absolutely destroyed and every part of our IT system was being encrypted, and there was nothing he could do to stop this event from happening.”

Thomas said that hours after the environment was encrypted, they received an emailed demand for a ransom of “over $1 million in cryptocurrency.”

“The demand was that we pay that within a week and [the attackers] would then unencrypt our network,” she said.

Thomas added the school made the call not to pay.

“We made an ethical decision right upfront that we weren’t going to support these criminals,” she said.

“As much as you are told they will restore your system, you can’t guarantee that.”

The school lost access to all its core systems, from email and phones to physical security such as gates.

Staff “lost exams” and student reports they had written; these would ultimately have to be redone.

Thomas said the school called on its cyber insurance broker Aon Australia, which connected the school to specialist IT, forensics and legal resources to help with the mop-up.

Thomas said there was an immediate need to disclose the attack to parents, but with all its core systems encrypted, this was no easy task.

“It took me and the IT team until Sunday evening to find one system that sat outside this that had not been encrypted and I could send a message to our parents telling them that this had happened and that I needed 24 hours where the majority of our students stayed at home,” Thomas said. 

She said the school adopted a position of being “very transparent” about the attack from the outset.

“I could not imagine down the track, if I wasn’t transparent, having to tell people that this had been a cyber attack and [that their] details had been stolen,” she said.

Thomas said that the school effectively rebuilt its entire IT environment in the space of a week, “amost quarantining” the infected infrastructure and starting afresh.

“We began looking at how we might build this to better protect us in the future, and my IT staff were absolutely phenomenal,” she said.

“Within about a week they had nearly every system back up and running and we were online.

“Every resource was put towards rebuilding our system as quickly as we possibly could and minimising the impact.”

Nine months on, and even after engaging forensics specialists, Thomas said the school has been unable to establish the entry point for the malware.

“We don’t know how this got into our system,” she said.

“We’ve got our ideas, but the system was so badly damaged we’ve never found the absolute reason for it.”

Thomas said she had been unprepared for the long tail impact of the attack. 

“I wasn’t prepared that it would go on and be as long as it was,” she said.

“We’re nine months later and this is something we still live, and I think we’ll be living it for quite a long time. 

“Yes, we were up and running in a week but the impacts of this go for a very long time in your organisation.”

Thomas said the school had continued to monitor the dark web for a data leak.

“We’ve been monitoring the dark web since to see if any of [our] information is up there -  it hasn’t [appeared] thankfully, but this is something that doesnt go out of your mind.”

Thomas also said that the school had “undergone a full systems review” as part of its approach to risk management three months prior to the infection, and that it believed its systems were robust and resilient.

“We were a bit naive,” she said.

“We thought we had a great review of our systems.

“We were working through things to protect us more, and we have a terrific IT team, but ... this could happen to anyone.”

She added that the school had made significant investments in cyber security awareness for staff since the incident, and that this investment is continuing.