Russian-speaking ransomware-as-a-service gang Hive has reportedly demanded £500,000 from two sixth-form colleges in Bedfordshire, under threat of leaking stolen data online.
According to a report from security provider Recorded Future, parents of pupils at the two Wootton Academy Trust colleges have been contacted directly by members of Hive, warning that their children’s personal information would be leaked if the Trust fails to pay up.
However, the stolen data is so valuable that it may be sold on the dark web regardless of the Trust’s actions, Recorded Future told Tech Monitor.
The Trust’s executive principal Michael Gleeson confirmed the Hive ransomware attack in a letter to students and their parents. “I can now confirm that the Trust suffered a cyber incident and we are now in the process of putting in place a plan that will enable our IT system to be rebuilt.”
The Trust has informed the Information Commissioner’s Office and the police of the incident.
Hive ransomware attack on Wootton Academy Trust
The £500,000 ransom demand reflects the coverage of the Trust’s cyber insurance policy, which Hive found on its IT systems. “We are very well informed and precise in our operations, so we know that Wootton have cyber insurance that reaches £500k,” the gang said in its message to the parents.
In the past, this has been an effective tactic for ransomware groups, who have used details of their target’s cyber insurance policies to negotiate ransoms worth millions of pounds.
Now, though, cyber insurance policies rarely cover ransom payments, says Allan Liska, an intelligence analyst at Recorded Future. “A £500,000 cyber insurance policy does not mean that an insurance company will pay it,” he explains.
“The number of insurance companies that will pay a ransom directly has diminished or disappeared. So using that as a negotiation tactic is not as effective as it used to be.”
Young people’s data is especially valuable to criminals, Liska explains. “It’s basically fresh data: you can use it to set up bank accounts, get these other things that you might need to launder money and to engage in other activity,” he says. “And if you’re a kid, you might not find out about it until you go to apply for your first credit card or open your first bank account.”
As a result, there is no guarantee that Hive will stick to its word if the Trust pays the ransom. “You can’t trust ransomware actors – they are lying bastards,” he says. “They’ve done this over and over again where they pretend to delete the data and then still sell it to the highest bidder.
“Sadly, the data is still too valuable not to sell.”
Threatening not only the target organisation but also its customers is indicative of the evolving tactics of ransomware groups, Liksa explains. “This is part of the expanded extortion ecosystem we see ransomware groups increasingly rely on,” he says.
Ransomware vs the education sector
The education sector is increasingly the target of cybercriminals such as Hive, with Secondary schools and sixth-form colleges suffering a 56% surge in ransomware in the past year, according to recent research by Sophos. Out of those hit, 72% had their data encrypted. Of those who paid the ransom, only 62% had their data restored, a decrease from last year’s figure.
This partly reflects weak cybersecurity protections among schools and colleges. “Schools are unfortunately notoriously bad for their security and they don’t do as good a job of protecting student data as we’d like to think they do,” says Liska.
According to a survey by security company Kaspersky, 29% of parents feel that their children’s school is “not at all prepared for a ransomware attack”.
Who is Hive?
Hive was first spotted by security researchers last June. By the end of 2021, the group had targeted 355 victims, according to a report by cybersecurity company Group IB.
It has been indiscriminate about going after organisations in the private and public sectors, says Diana Selck-Paulsson, lead security researcher at Orange Cyberdefense. “What sticks out about them is that they really do impact the healthcare sector more than any other group,” says Paulsson. “The main countries they are hitting are the US, UK, Spain and Turkey and there have been at least 16 attacks this year that we know of.”
Hive’s most high-profile victims include European consumer electronics retailer MediaMarkt in November 2021, where Hive demanded $50m in Bitcoin, and an attack on the Memorial Health System in Ohio last August, which disrupted clinical and financial operations and reportedly caused urgent operations to be cancelled.