Ransomware Prevention for Schools

Schools combine high-PII (student records, parent payment data, safeguarding files) with often-poor backups and time-pressured leadership that may pay to restore service before exam periods. Attackers calibrate ransom demands to school budgets, typically lower than corporate ransoms but with much higher conversion rates.

Three layers, each catching ransomware at a different stage:

• Behavioural detection of encryption activity, Sophos CryptoGuard rolls back unauthorised encryption at the file system level.
• Anti-data-exfiltration, BlackFog stops the data-leak phase that precedes most modern ransomware. If data cannot leave the device, the double-extortion model breaks.
• Email-borne payload prevention, Coro AI Essentials catches AI-generated phishing carrying ransomware payloads.

Any one of these reduces the success rate; together, the compound effect is order-of-magnitude.

The 3-2-1 rule still applies: three copies, two media, one off-site. The modern addition is immutable backups, copies that ransomware cannot encrypt. Test restoration quarterly; "we have backups" is not the same as "we can restore from backups".

Isolate affected systems from the network. Preserve evidence, do not wipe machines until forensic capture is complete. Contact KB and law enforcement (NCSC in UK, ACSC in AU, NCSC in NZ). Coordinate communications via your governance protocol, staff, parents, regulators each get a different message at different times.