When Ransomware Hits a School
The Billericay School, Essex — June 2024
During the half-term holiday, The Billericay School in Essex was hit by a ransomware attack that encrypted all of the school's IT systems. Head teacher Patrick Berry declared a "significant critical incident", noting that the attack occurred despite having "industry standard firewalls, firmware and malware security" in place.
The school was forced to close to pupils in Years 7, 8, 9, and 12 so that staff could prepare lessons without access to any digital resources. All systems were described as "compromised and inaccessible by a complex encryption."
The bigger picture:
A BBC investigation found that 347 cyber incidents were reported in the UK education and childcare sector in 2023 — a 55% increase on 2022. Government data suggests most schools and colleges have identified a cybersecurity breach in the past year.
Cyber incidents in UK education (2023)
Year-on-year increase
Typical recovery time without backups
How to Spot & Prevent Ransomware
Ransomware usually enters through human error. Know the warning signs and lock down your defences.
Warning Signs
-
Unexpected email attachments — Especially .zip, .exe, .js, or macro-enabled Office documents (.docm, .xlsm).
-
Unusual system slowness — Ransomware encrypting files in the background consumes significant CPU and disk resources.
-
Files renamed or inaccessible — Extensions changed to .locked, .encrypted, .crypto, or random strings.
-
Ransom notes — Text or HTML files appearing in folders with payment demands (often in cryptocurrency).
Prevention Checklist
-
Keep everything patched — Apply OS and software updates promptly. Most ransomware exploits known vulnerabilities.
-
Deploy endpoint protection — Modern antivirus with behavioural analysis, not just signature-based detection.
-
Email filtering — Block executable attachments, scan for malicious links, and quarantine suspicious messages.
-
Staff training — Regular phishing awareness sessions. Humans are the weakest link — and the strongest defence.
-
Disable RDP — Remote Desktop Protocol is a top entry point. Use VPN with MFA instead.
Understanding Backup Types
If ransomware gets past your defences, your backup is the only thing standing between you and total data loss. Here's how the three main backup types work.
Full Backup
A complete copy of all data every time the backup runs. This is the simplest type and the fastest to restore from — but it takes the most time and storage space.
Advantages
- Fastest restore time
- Simplest to manage
- Self-contained — no dependencies
Disadvantages
- Slowest backup process
- Highest storage requirement
- Network-intensive
Best for: Weekly or monthly base backups combined with daily incrementals.
What Gets Backed Up
Incremental Backup
After an initial full backup, each subsequent backup only copies data that has changed since the last backup of any type. This is the most storage-efficient method.
Advantages
- Fastest backup process
- Lowest storage requirement
- Minimal network impact
Disadvantages
- Slowest restore (needs full + all incrementals)
- Dependent on chain of previous backups
- One corrupt link breaks the chain
Best for: Daily backups where storage space and backup windows are limited.
What Gets Backed Up
Differential Backup
After an initial full backup, each subsequent backup copies all data that has changed since the last full backup. This grows larger each day but only needs two backups to restore: the full + the latest differential.
Advantages
- Faster restore than incremental
- Only needs full + latest differential
- Good balance of speed and storage
Disadvantages
- Grows larger each day until next full
- More storage than incremental
- Backup time increases through the week
Best for: Organisations wanting faster restores than incremental without the cost of daily full backups.
What Gets Backed Up
The GFS Rotation Scheme
Grandfather–Father–Son (GFS) is the industry-standard backup rotation that balances recovery speed, storage cost, and data retention.
Son (Daily)
Incremental backups run every working day. Kept for one week, then overwritten by the next cycle.
Father (Weekly)
A full backup runs every Friday (or weekend). Kept for one month, providing weekly restore points.
Grandfather (Monthly)
The last full backup of each month is archived. Kept for 12 months (or longer for compliance).
The 3-2-1 Rule
Keep 3 copies of your data, on 2 different types of media, with 1 copy stored offsite (or in the cloud). This ensures no single disaster — fire, flood, ransomware, or hardware failure — can destroy all your backups.
Hit by Ransomware? Do This Now.
Isolate Immediately
Disconnect infected machines from the network. Unplug Ethernet cables and disable Wi-Fi to prevent the ransomware spreading to other devices and servers.
Do Not Pay the Ransom
Paying does not guarantee you'll get your data back and funds criminal organisations. The NCSC strongly advises against paying.
Report the Incident
Contact Action Fraud (0300 123 2040) and the NCSC (ncsc.gov.uk). If personal data is involved, notify the ICO within 72 hours.
Restore from Backup
Wipe infected machines and restore data from your most recent clean backup. This is why your backup strategy is critical — it's your recovery plan.