The university took the decision to disable access to the UCL N and S drives and some other systems to reduce the likelihood of further infection.
Yesterday evening, when the attack broke, UCL posted this message: ‘UCL is currently experiencing a widespread ransomware attack via email. Ransomware damages files on your computer and on shared drives where you save files. Please do not open any email attachments until we advise you otherwise. To reduce any damage to UCL systems we have stopped all access to all N: and S: drives. Apologies for the obvious inconvenience this will cause.’
It is yet another instance of ransomware infecting an insufficiently protected IT system. Marco Cova, senior security researcher at Lastline, recognises that in attack like this,“where an organisation with a relatively unsophisticated IT infrastructure, with limited or no backup system, a ransomware attack could be devastating.” However, it appears that UCL has a “good backup option in place so cleaning the malware, and restoring files from backup means that everyone should get back most of their files with little hassle – apart from the obvious disruption this has caused.”
Mark James, Security Specialist for ESET
Unlike the WannaCry attack, this appears to have been delivered through more traditional means of a malicious email attachment.
Gavin Millard, EMEA technical director at Tenable Network Security, said: “While I have sympathy for the predicament UCL finds itself in, ransomware attacks shouldn’t happen as they are completely preventable. In the majority of cases, the malware targets a handful of well-known vulnerabilities so keeping systems patched and up to date goes a long way towards preventing a ransomware attack taking hold.”
The attack circumvented AV filters, forcing the IT team to block access to shared drives. Tony Rowan, security consultant, SentinelOne explains that “Clearly we are seeing again that the old guard of AV isn’t able to deal with evolving threats, even the obvious ransomware.”
Currently, UCL has said that its information security team is still actively working with the affected users to identify the source of the infection and to quarantine their machines and file-stores. It is very much an on going situation, but it certainly won’t be the last unless organisations begin to take this threat more seriously and implement more effective security strategies.
“Offline point-in-time backups are the only 100% way to recover from a ransomware attack. Yes, you may find a free online decryption tool, yes, you might get your files back if you pay the ransom and yes, you might be lucky enough to win the lottery tonight; but why take the chance? Backup options are fairly low cost these days,” concludes James.