When a ransomware attack struck a secondary school on a Sunday morning, a long-standing relationship and immediate response meant 75% of systems were restored within the first week, and every system fully recovered. The school was closed for four days and reopened on the Friday.
A single-site, oversubscribed secondary school serving 1,300 students and 200 staff. The school relies on its IT infrastructure for teaching delivery, safeguarding, parent communication, MIS, and day-to-day administration.
IT operations are managed by a single network manager supported by one day-to-day technician, a resourcing model common across the sector, but which places significant operational pressure on a lone specialist responsible for infrastructure at enterprise scale.
Medhurst Communications had provided third-line support to the school for over ten years, with an established working relationship built on trusted personal contact and deep familiarity with the school's systems and network topology.
Scale in context: With 1,300 students, 200 staff, and around 400 devices across a single site, this school operates IT at the complexity of a mid-size enterprise, supported by a team of two.
The school's network manager had identified security improvements he wanted to make, but a combination of staff resistance, budget prioritisation, and the realities of operating as a sole IT professional meant that key measures remained outstanding.
The primary remote access VPN had no MFA in place. The network manager had pushed for Azure-authenticated MFA but had encountered staff pushback. This became the attack vector.
A programme to decommission older servers and harden network rules was planned for the Easter half-term; the attack arrived first. Insufficient network segmentation allowed lateral movement once credentials were compromised.
One network manager responsible for 400 devices, multiple servers, CCTV, access control, MIS, and connectivity. Proactive security hardening competed constantly with reactive day-to-day support demands.
The school had a documented DR plan, but it was stored on the same file servers that were encrypted in the attack. When the plan was needed most, it was inaccessible. A printed, off-network copy did not exist.
"There were so many things I wanted to implement, but I simply didn't have the time. I can't split my attention evenly across everything. You can't have one person do it all."
Network Manager, Secondary SchoolAt approximately 9:00am on a Sunday morning, threat actors gained access to the school network through the remote access VPN using stolen staff credentials. With no MFA in place, the login was unchallenged.
Once inside, the attackers exploited a vulnerability on an old domain controller to escalate privileges and obtain domain administrator credentials. With elevated access secured, they were able to move freely across the network.
The attackers used both the old domain controller and the school's CCTV server as pivot points, leveraging them to map the network and connect via SMB (port 445) to multiple Windows shares using the elevated credentials. Encryption of file servers and core systems began immediately.
Around 12:30pm, the headteacher, working on site, noticed file servers were inaccessible and messaged the network manager at home. Within three minutes of reading that message, the network manager had remote-accessed the file server and identified a ScreenConnect backdoor script actively running. He was at school by 1:00pm and physically pulled the internet connection.
Encryption was halted at approximately 30% of the total data volume, a significantly better outcome than would have occurred without the rapid detection and isolation. The underlying damage, however, was already severe enough to require a full infrastructure rebuild.
"That was the second most stressful day of my life. The fear of the unknown, just digesting that this had happened on my watch."
Network Manager, Secondary SchoolApproximately 30% of data was encrypted before the internet connection was physically isolated. Immutable cloud and tape backups were unaffected by the attack.
The school held no out-of-hours support contract. But a ten-year relationship and direct personal contact meant that Medhurst's response began within half an hour of the first call, before the school had even fully scoped the damage.
The network manager contacts the Medhurst account manager's direct mobile. He calls back within approximately 30 minutes, on a Sunday, with no contractual obligation to do so. A three-way call with the Medhurst on-site engineer follows within the hour.
The Medhurst account manager remotely assesses tape backups at the Medhurst data centre while the network manager works on site triage. Backups confirmed clean and recoverable. A critical turning point.
The Medhurst account manager arrives on site with a loan server within the first hours of the following day. The on-site engineer is also present. A structured recovery plan is operational by that afternoon.
The Medhurst engineer remains on site for the full first week. An incident response channel on Teams coordinates parallel workstreams across rebuilding, imaging, and testing.
The cost comparison: An independent incident response firm contacted the school during the recovery. Their quoted cost was approximately five times the total charged by Medhurst, and would have required the network manager to brief the incoming team on the entire network from scratch. Pre-existing knowledge of the school's infrastructure was a material advantage.
"Once I knew the file backups were okay, that's when I felt at peace. Everything else can be redone, but not the data."
Network Manager, Secondary SchoolRecovery was structured in phases, prioritising communication and core services first, then progressively restoring everything to pre-incident state.
Ransomware identified at 12:30pm. Internet physically disconnected by 1:00pm. Network triage begins. Medhurst engaged within 30 minutes of first contact. Initial recovery plan formulated with the Medhurst team by early afternoon.
The Medhurst team arrive with a loan server. Firewall updated. Remote connectivity established. Core server rebuild underway within the first three hours. Tape backups at the Medhurst data centre confirmed intact and usable.
File servers, domain controllers, and SIMS MIS restored to the loan host from clean backups. End-to-end testing begins. Internet connectivity restored in controlled stages.
SentinelOne EDR enrolled and deployed to all servers before anything is returned to production. A deliberate decision to prioritise security posture over speed. At 5:15pm, the headteacher sends the first staff communication via SIMS InTouch. Three days after the attack: nothing to full staff contact capability.
The school had remained closed to students from Monday to Thursday while recovery progressed. By the end of Thursday, the headteacher confirms the school is safe to open: minimal services are available, but core safeguarding and communication requirements are met.
After four days closed, the school reopens to students on the Friday for a half day. Friday was already scheduled as a half day, so the reopening aligned with the planned school calendar. Core safeguarding, registration, and communication are operational.
Despite the scale of the attack, the majority of core infrastructure is fully operational before the week is out. MFA via Entra ID is implemented and enforced on the VPN. Key staff are accessing school resources remotely and securely. The pace of recovery, given the extent of the damage, reflects the quality of the preparation: clean off-site backups, a structured recovery plan, and an experienced engineer on site throughout the week.
1,300 students return. Teaching and learning operates as a normal school day. SIMS pushed out to laptops in advance; registers taken; safeguarding systems operational. The Easter break had provided the additional recovery window that made this possible.
The final files are recovered from backup. Every working area, shared drive, and service is fully restored to its pre-incident state. Despite the extent of the original attack, a complete recovery was achieved: every system, every shared drive, every service. The outcome reflects both the quality of the off-site backup infrastructure and the sustained effort of the recovery team throughout.
The incident prompted an immediate and comprehensive hardening of the school's cyber security posture. The network manager's description: "comparing before and after, worlds apart."
MFA via Entra ID is now mandatory for all staff, with no exceptions. VPN access requires authentication through the Microsoft Authenticator app. Staff pushback is no longer a consideration: access requires MFA.
SentinelOne endpoint detection and response software is deployed across all servers. No system was returned to production during recovery until SentinelOne was active. A deliberate and correct decision that added one day to the timeline but removed significant residual risk.
New VLANs and access control lists implemented throughout the network. The production domain is now separated from the cluster domain. Server accessibility is governed by strict ACLs. Lateral movement of the kind used in the attack is now significantly constrained.
Backup infrastructure rebuilt using Veeam 13 with immutable storage. Backups cannot be deleted or encrypted, even with valid domain admin credentials. Off-site tape backups at the Medhurst data centre were the foundation of the entire recovery.
Keeper deployed for credential management across the team. Privileged account passwords are now vaulted, rotated, and not exposed in shared drives or accessible via compromised domain credentials.
Cisco Duo authentication added as a second layer on all production servers. Even with valid credentials, server-level access now requires a second authentication factor, materially limiting the blast radius of any future credential compromise.
"Comparing before and after: worlds apart. If someone managed to get hold of valid credentials today, the scope of what they could do would be severely limited."
Network Manager, Secondary SchoolSelected further reflections from the school's network manager on the experience and the value of the Medhurst partnership.
"Instead of shutting for a week, we only shut down for four days. That was because I had a direct number for the Medhurst team. Without it, I would have had to wait until Monday. That was the silver lining, and it made all the difference."
Network Manager, Secondary School"From absolutely nothing working to being able to contact staff. Three days from a scenario where there were just so many unknowns."
Network Manager"Once I knew the file backups were okay, that's when I felt at peace. Everything else can be redone, but not the file backups. That was the moment."
Network Manager"A neighbouring school had a cyber attack shortly after us and I passed on Medhurst's contact details immediately. I can't praise the team enough."
Network Manager"It's not just a single incident. We've worked together for ten years. Having somebody you can call who already knows your network. That counts for everything."
Network ManagerThe network manager's direct advice to other schools and IT leaders, drawn from first-hand experience of a ransomware attack and full recovery.
An objective external review will identify vulnerabilities that a lone IT practitioner, managing day-to-day demands, may not have time to address proactively. Schedule it before an incident forces the issue.
Backups held on the same network can be deleted or encrypted by ransomware. Immutable off-site backups, including tape, were the single most important factor in this school's recovery. Without them, the outcome would have been very different.
The entry point was a VPN with no MFA. Staff resistance to authentication requirements is understandable but cannot be allowed to override security policy. MFA on all remote access is non-negotiable.
In the absence of an out-of-hours support contract, a personal relationship and a direct mobile number made the difference between a four-day closure and potentially a week or more. Know who you would call, and know they will answer.
The school had a documented DR plan, stored on the servers that were compromised. Print it. Store it somewhere that survives a network outage. The plan that lives only in someone's head, or only in a file share, is not available when you need it most.
IT security decisions, particularly around MFA, legacy infrastructure, and budget for proactive hardening, should be visible on the school's risk register and discussed at SLT and governor level. A sole IT practitioner raising concerns in line management meetings is not the same as a named risk with an owner and a mitigation plan.
After the incident, the school's network manager set out for the headteacher the measures every school should aim to have in place. Reproduced here in plain terms for school leaders, these are the questions worth asking of whoever looks after your IT.
Every system that allows it, from email to remote access, should ask for a second step to sign in, such as a code on a phone, so a stolen password alone is not enough. Reduce the number of passwords staff juggle by using a single secure sign-in, add an extra check for anyone reaching the most sensitive systems, and give the IT team a proper password manager so passwords are stored safely rather than written down or reused.
Hold more than one copy of your data, in more than one place, and make sure at least one copy cannot be changed or deleted, even by someone who has gained full administrator access. Keep one copy in the cloud and one on tape stored away from the school, and back up email and staff files as well. Keep the backup system itself separated and locked away from the main network, so it survives even if everything else is hit.
Divide the network into separate zones so a problem in one area cannot spread across everything. Control which devices are allowed to talk to which, close any access points open to the outside world that are not needed, and make sure the systems that run all your servers can only be reached by a small number of trusted, named people.
Store teacher resources and deliver lessons through cloud tools rather than relying only on machines in the building. If on-site systems go down, staff and students can keep working from anywhere, which limits the disruption to teaching and learning during an incident.
Bring in an external specialist to review your security, or work towards a recognised standard such as Cyber Essentials or Cyber Essentials Plus. Independent assurance gives governors and leaders confidence that protection is genuinely in place, rather than relying on internal opinion alone, and it is a clear, fundable action to take to the board.
Medhurst Communications works with schools, colleges, and Multi-Academy Trusts across the UK to assess cyber risk, harden infrastructure, and ensure that backups and response plans are in place before an incident occurs.
