Ransomware attack against University College London blamed on poisoned website

University IT staff continue to investigate security incident.

David bisson
David Bisson

Ransomware attack against University College London blamed on poisoned website

A London-based university has temporarily disabled some of its systems in the wake of a “widespread” ransomware attack.

News of the infection emerged at 17:00 local time on 14 June when University College London (UCL), a multidisciplinary public research university, issued a statement on its website:

UCL statement

“UCL is currently experiencing a widespread ransomware attack via email. Ransomware damages files on your computer and on shared drives where you save files. Please do not open any email attachments until we advise you otherwise.”

Less than two hours later, the university expanded on its initial disclosure of the attack. It revealed the ransomware mostly affected its network and shared drives. UCL also disclosed its decision to form a critical incident team that would help it address the infection.

Sign up to our free newsletter.
Security news, advice, and tips.

Few details currently exist on how the ransomware infiltrated University College London. The institution initially said that it believed social engineering attacks were likely to blame:

“Currently it appears the initial attack was through a phishing email although this needs to be confirmed. It appears the phishing email was opened by some users around lunchtime today. The malware payload then encrypted files on local drives and network shared drives.”

To protect against these types of techniques, the university has anti-virus checkers scan emails for incoming threats. These tools didn’t detect anything suspicious, however. As a result, UCL pondered whether the attack could have leveraged a zero-day attack to install ransomware on its drives.

Last night, the University’s IT team issued an updated advisory, saying that it had not seen any more infected PCs and that it now considered the ransomware attack could have been delivered via a poisoned website rather than a boobytrapped email:

We have continued to analyse the infection across the UCL filestore and the method of infection this is still ongoing. We have not seen any more users affected by the malware. We no longer think the infection came from an infected email but from users accessing a compromised website. Please be vigilant if you notice an unexpected popup or other unusual behaviour when you access a website close the browser and report it to Service Desk.

UCLAs a preventative measure, the university made its network and shared drives read-only. This means users can access their files, but they can’t make any changes or save to the drives. Users might also encounter some issues in accessing systems like those that power Desktop@UCL and Desktop Anywhere.

Fortunately, the university takes snapshots of its drives every hour. Once officials are certain the critical incident team has contained the threat, UCL says it will restore its drives using the backups.

It’s important to note UCL isn’t the only educational institution to fall for a ransomware attack.

In 2016, the University of Calgary paid a ransom of $20,000 CDN following a ransomware attack against its computer systems. And let’s not forget that Bournemouth University, another English educational institution, suffered 21 ransomware attacks between 2015 and 2016.

Earlier this year, authorities warned British educational establishments that criminals were cold-calling schools and universities posing as the Department of Education, in a bid to tricking staff into opening email attachments containing ransomware. Similar attacks pretended to be from telecoms providers claiming to need to speak to the head teacher about “internet systems” or the Department of Work and Pensions.

All universities should conduct security awareness training with their employees to reduce the chances of a successful ransomware attack.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.