View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Ransomware gang Hive demands £500k from two UK colleges

Hive has threatened to leak Wootton Academy Trust pupils' data online - and may do it anyway.

By Claudia Glover

Russian-speaking ransomware-as-a-service gang Hive has reportedly demanded £500,000 from two sixth-form colleges in Bedfordshire, under threat of leaking stolen data online.

According to a report from security provider Recorded Future, parents of pupils at the two Wootton Academy Trust colleges have been contacted directly by members of Hive, warning that their children’s personal information would be leaked if the Trust fails to pay up.

However, the stolen data is so valuable that it may be sold on the dark web regardless of the Trust’s actions, Recorded Future told Tech Monitor.

Young people’s personal data is especially valuable to criminals. “It’s basically fresh data.” (Image by Clerkenwell / iStock)

The Trust’s executive principal Michael Gleeson confirmed the Hive ransomware attack in a letter to students and their parents. “I can now confirm that the Trust suffered a cyber incident and we are now in the process of putting in place a plan that will enable our IT system to be rebuilt.”

The Trust has informed the Information Commissioner’s Office and the police of the incident.

Hive ransomware attack on Wootton Academy Trust

The £500,000 ransom demand reflects the coverage of the Trust’s cyber insurance policy, which Hive found on its IT systems. “We are very well informed and precise in our operations, so we know that Wootton have cyber insurance that reaches £500k,” the gang said in its message to the parents.

In the past, this has been an effective tactic for ransomware groups, who have used details of their target’s cyber insurance policies to negotiate ransoms worth millions of pounds.

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

Now, though, cyber insurance policies rarely cover ransom payments, says Allan Liska, an intelligence analyst at Recorded Future. “A £500,000 cyber insurance policy does not mean that an insurance company will pay it,” he explains.

“The number of insurance companies that will pay a ransom directly has diminished or disappeared. So using that as a negotiation tactic is not as effective as it used to be.”  

Young people’s data is especially valuable to criminals, Liska explains. “It’s basically fresh data: you can use it to set up bank accounts, get these other things that you might need to launder money and to engage in other activity,” he says. “And if you’re a kid, you might not find out about it until you go to apply for your first credit card or open your first bank account.”

As a result, there is no guarantee that Hive will stick to its word if the Trust pays the ransom. “You can’t trust ransomware actors – they are lying bastards,” he says. “They’ve done this over and over again where they pretend to delete the data and then still sell it to the highest bidder.

“Sadly, the data is still too valuable not to sell.”

Threatening not only the target organisation but also its customers is indicative of the evolving tactics of ransomware groups, Liksa explains. “This is part of the expanded extortion ecosystem we see ransomware groups increasingly rely on,” he says.

Ransomware vs the education sector

The education sector is increasingly the target of cybercriminals such as Hive, with Secondary schools and sixth-form colleges suffering a 56% surge in ransomware in the past year, according to recent research by Sophos. Out of those hit, 72% had their data encrypted. Of those who paid the ransom, only 62% had their data restored, a decrease from last year’s figure.

This partly reflects weak cybersecurity protections among schools and colleges. “Schools are unfortunately notoriously bad for their security and they don’t do as good a job of protecting student data as we’d like to think they do,” says Liska.

According to a survey by security company Kaspersky, 29% of parents feel that their children’s school is “not at all prepared for a ransomware attack”.

Who is Hive?

Hive was first spotted by security researchers last June. By the end of 2021, the group had targeted 355 victims, according to a report by cybersecurity company Group IB.

It has been indiscriminate about going after organisations in the private and public sectors, says Diana Selck-Paulsson, lead security researcher at Orange Cyberdefense. “What sticks out about them is that they really do impact the healthcare sector more than any other group,” says Paulsson. “The main countries they are hitting are the US, UK, Spain and Turkey and there have been at least 16 attacks this year that we know of.”

Hive’s most high-profile victims include European consumer electronics retailer MediaMarkt in November 2021, where Hive demanded $50m in Bitcoin, and an attack on the Memorial Health System in Ohio last August, which disrupted clinical and financial operations and reportedly caused urgent operations to be cancelled.

Read more: Luxembourg energy provider Encevo Group battles ransomware attack by BlackCat

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.