Ransomware alert

As you will be aware, the NHS was affected by a global malware that encrypts data and then requests a ransom for it to be unlocked. This so-called ransomware is not uncommon in the modern world; however this particular version also uses a weakness in an old technology to propagate around the victim's network.

Although unconfirmed it is thought this malware was sent via an email with specially crafted code to trigger the infection. From there, it will look for the weakness on other computers to spread further.

EIS has completed a scan of servers where the school have allowed us to install Centrastage and we can confirm we have not seen any encrypted files. This is not unexpected due to the timing of the infection on Friday as most schools will have closed for the weekend. Therefore, there is a risk that infected emails are waiting for your staff.

Please advise your staff to not open any unexpected email attachments that they are not completely certain who it came from. Take particular notice of attachments that suggest they are invoices or delivery notices.

EIS recommend all computers are up to date and where possible Windows Update is run on all computers to apply the latest patches. Where schools have Windows XP or Server 2003, there is a specific patch that must be applied manually. Most schools do not use these old systems, but there are some we are aware do. The patch can be downloaded here

We also advise that the moment a computer shows the ransomware message, that the computer is powered off, without shutting down. This can either be done by pulling the plug from the PC, or press and hold the power button of a laptop for up to 10 seconds. This will help prevent further infection. We also recommend, if this happens, shutting down every computer normally and contact EIS for assistance. The key here is damage limitation.

In most schools who use the KPSN Schools Broadband, the virus cannot spread between other schools. However, if you have specially requested access to systems between school sites (such as federations and multi academy trusts) then there is a risk. While there is little that can be done other than block this type of access, it should be given extra consideration if one school is infected that the other schools may also be infected. If you have any concerns or questions, please contact EIS on the details on our website

EIS are continuing to monitor the situation and will update schools as soon as something changes. The EIS website will always have the most up to date information.