Ransomware at Your School: What to Do Right Now
If you are reading this because your school has just been hit by ransomware — or you suspect a ransomware attack is underway — this page tells you exactly what to do right now. It is written for headteachers, IT leads, and business managers who need immediate, actionable guidance in a crisis. The actions you take in the first hour will significantly affect the outcome. Do not panic. Follow these steps.
Schools that contain ransomware within the first hour and call the NCSC immediately recover significantly faster than those that delay response — the first hour is the most critical.
First: Do These Things Right Now
If ransomware is active on your school's systems:
- DO NOT turn devices off — this destroys forensic evidence. Disconnect from the network instead (unplug the network cable or disable WiFi)
- Call your IT provider or IT technician immediately — this is a P1 emergency
- Call the NCSC Cyber Incident Response line: 0300 020 0973 (free, available now)
- Do NOT pay the ransom — seek specialist advice first. Paying does not guarantee recovery and funds criminal operations
- Do NOT use school email to communicate — if email is compromised, use personal mobile phones
- Start a paper log of everything you do — date, time, action. You will need this for ICO notification
- Alert the headteacher and chair of governors if not already aware
In the First Hour: Contain and Assess
Your immediate priorities are containment and assessment: **Contain**: Identify which systems are affected and isolate them from the network. If multiple devices are affected, work with your IT provider to identify the scope. Segment affected areas of the network if possible. **Assess**: What systems are affected? Is the ransomware still spreading? What data is at risk? Has your backup been compromised? **Preserve**: Do not attempt to clean or restore systems before specialist advice has been obtained. Evidence on affected devices is critical for understanding what happened and for legal purposes.
In Hours 1-4: Notify and Get Help
Once immediate containment is underway: 1. **Invoke your cyber insurance**: call your insurer and report the incident. The insurer will connect you with their preferred incident response firm. 2. **Contact the NCSC**: if not already done, call 0300 020 0973. The NCSC provides free guidance and can connect you with certified incident response firms. 3. **Notify your DPO**: your data protection officer must assess whether a personal data breach has occurred and whether ICO notification is required within 72 hours. 4. **Alert the DfE**: significant cyberattacks affecting school operations should be reported to the DfE's Cyber Incident Response service. 5. **Business continuity**: what paper-based processes can maintain safeguarding records, attendance, and essential communications while systems are offline?
The ICO 72-Hour Obligation
If personal data may have been accessed — which in a ransomware attack it almost certainly has, even if the primary impact is encryption rather than theft — the ICO must be notified within 72 hours of the school becoming aware of the breach. The 72-hour clock started when you became aware of the ransomware attack. Do not wait until you know the full extent of the breach — notify the ICO with what you know and update the notification as more information becomes available. Notifying promptly, even with incomplete information, is viewed more favourably by the ICO than late notification with complete information.
Frequently Asked Questions
Should we pay the ransom?
No. The NCSC, FBI, and CISA consistently advise against paying ransoms. Paying does not guarantee decryption — many schools and organisations that have paid have found the decryption tools provided by attackers to be unreliable or non-existent. Paying funds criminal operations and encourages further attacks. It does not prevent the attackers from publishing any data they have exfiltrated. Contact the NCSC before making any decision about ransom payment.
Will turning computers off help?
Generally no — and often it makes things worse. Turning devices off destroys volatile memory (RAM) that contains forensic evidence about the attack. If ransomware is actively running, turning off one device will not stop it spreading to others via the network. The right action is to disconnect devices from the network — unplug the network cable or disable WiFi — while leaving them powered on for forensic investigation.
How long will it take for our school to recover?
Based on UK education sector incidents, meaningful recovery of critical systems typically takes one to four weeks. Schools that have tested their backups, have documented recovery procedures, and engage specialist incident response firms recover faster. The Harris Federation took several weeks to restore systems across 50 schools. Even smaller schools should plan for at least a week of significant disruption to non-essential systems while critical systems are recovered first.
Do we have to tell parents?
If personal data of pupils or their parents has been breached and the breach poses a high risk to their rights and freedoms, you must notify affected individuals — including parents — without undue delay. This is a UK GDPR obligation. Where the breach affects safeguarding records, medical data, or other sensitive information, parental notification should be planned carefully with legal advice. The ICO can provide guidance on notification obligations during the breach reporting process.
Who is responsible for paying for incident response?
Cyber insurance covers incident response costs for schools that hold appropriate cover. This is the primary financial reason schools need cyber insurance — specialist incident response firms typically charge thousands of pounds per day, which is beyond most school budgets without insurance. Schools without cyber insurance must fund response from reserves. The NCSC and DfE provide guidance and coordination support but not direct financial assistance for recovery costs.
Build your school's incident response plan before it's needed
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.