U.K. Center of Security Excellence Hit by Ransomware

One of the world’s top ten universities, awarded the status of “centre of excellence in cyber-security research” by the UK’s GCHQ, has been hit by a so-far unrecognized strain of ransomware. This comes just one month after many UK health trusts were struck by the global WannaCry ransomware.

In a statement originally issued yesterday and updated today, University College London (UCL) described the current and ongoing ransomware. “We are continuing to investigate the infection that is affecting UCL users. Our current hypothesis is that the malware infection occurred through users visiting a website that had been compromised rather than being spread via email attachments. However, this remains unconfirmed at the moment.”

UCL believes it has now contained the outbreak by isolating the infected storage/devices, and does not expect any further infections. Twelve users had their local or shared drives infected and encrypted.

We believe, says UCL, “that the infection started as a result of UCL users visiting a website that had been compromised. Clicking on a popup or even just visiting a compromised site may have then introduced the malware to their device. The website could be one that they use regularly. We are still trying to confirm this and determine the site that may have caused the infection.”

For now, UCL cannot confirm the type of ransomware that was used; but it seems to be Windows only. Its anti-virus defenses were, it says, up-to-date.

For now, UCL’s comments ask as many questions as they answer. While there is no 100% secure defense against phishing (it will always catch someone), was this one person tricked and 12 users affected by the ransomware spreading through local shares; or twelve people tricked?

Or was there no phishing attack? Could this have been a watering hole attack — hinted at by UCL’s comment that the poisoned website could be one used regularly. Either way, was the user, or users, operating unpatched software? If the delivering exploit were a zero-day exploit, it wouldn’t matter; but there is no immediate news of any widespread use of a zero-day elsewhere — and it is unlikely that a criminal actor would waste a zero-day on a single UK university.

It is possible, then that this ransomware managed to get into UCL by just one user operating an unpatched browser. But whatever the infection vector, it seems that existing anti-malware failed to detect and stop it. “Clearly, we are seeing again that the old guard of AV isn’t able to deal with evolving threats, even the obvious ransomware,” comments Tony Rowan, security consultant at SentinelOne. “For each case of ransomware, we have to ask ourselves how many silent attacks are going unnoticed?”

Andrew Stuart, MD at Datto takes a similar view that AV alone is not enough against modern malware. “What this attack highlights,” he claims, “is that anti-virus alone is simply not sufficient enough to prevent ransomware. Along with vulnerability patching, these AV tools might be capable of catching known strains of malware, but newer ones too often pass through defenses undetected.” His own view is that regular back-up snapshots are the best solution. “If companies take regular snapshots of their systems, they are able to quickly spin-up systems to a ‘healthy’ point before the ransomware took hold.”

Jason Allaway, VP at RES, sees the solution — at least partly — in education. “Everyone involved in a university needs to be prepared, as after all, lecturers and other staff members are just as weak a link in the security chain if they don’t know what to look for. Organizations should provide informative materials and classes on the techniques of hackers, such as phishing emails, how to spot these and how to counter-act them.”

Mike Viscuso, CTO at Carbon Black, agrees on all counts. “Organizations can better set themselves up to deal with ransomware attacks by consistently backing up critical files, educating employees on proper cybersecurity hygiene, and patching vulnerabilities in a timely manner. The fact this attack on UCL appears to have circumvented AV filters shows the inadequacy traditional AV protection provides.”

Steven Malone, director of security product management at Mimecast, believes that UCL’s problem is typical of organizations that do not sufficiently consider email as an attack vector. “UCL appears to be running ‘naked’ Office 365 for its email security gateway. This is case in point for why all organizations need to ask if they are happy to trade defense-in-depth strategies for single vendor reliance when moving to the cloud…

“The vast majority of ransomware attacks are spread by email yet many organizations have still not put any additional security controls in place. Real-time checks on links and converting all incoming attachments to safe formats seriously reduces the risk of infection.”

The reality, however, is that we do not yet have enough information to know what went wrong, where or why. It is worth remembering that in a campus of almost 50,000 staff and students, UCL contained this outbreak to just 12 users.