University College London (UCL) is still reeling today after a major ransomware attack on Wednesday evening which circumvented AV filters, forcing the IT team to block access to shared drives.
The first update from UCL’s Information Services Division (ISD) came at 5pm on Wednesday local time, explaining that it had prevented access to the N: and S: drives as a precaution.
A later missive claimed the attack may even have involved a zero-day threat because the ransomware managed to bypass the university’s existing security controls.
It added:
“Currently it appears the initial attack was through a phishing email although this needs to be confirmed. It appears the phishing email was opened by some users around lunchtime today. The malware payload then encrypted files on local drives and network shared drives.”
The ISD reminded users to remain vigilant when dealing with unsolicited emails and not to open anything that looks suspicious.
However, it’s likely that precautionary back-up measures taken by the IT team will mitigate the worst of the attack.
It explained:
“We take snapshot backups of all our shared drives and this should protect most data even if it has been encrypted by the malware. Once we are confident the infections have been contained, then we will restore the most recent back up of the file. Backups are taken every hour.”
As of 8am on Thursday morning, the university’s N and S drives remained read only, and some system storage was forced offline, meaning the remote access service desktop@ucl may be affected for some users.
An FOI-based study from SentinelOne last year revealed that over half of universities in the UK had suffered a ransomware attack in the previous 12 months.
UCL’s IT team at least appears have been well prepared. Canada’s University of Calgary was forced to pay CN$20,000-worth of Bitcoins ($15,780; £10,840) to online extortionists after being hit with ransomware.
Jason Allaway, VP of UK & Ireland, at security firm RES, argued that user education is key to slowing the spread of ransomware.
“Organizations should provide informative materials and classes on the techniques of hackers, such as phishing emails, how to spot these and how to counter-act them. Coupled with this is technology, as there are a number of strategies that should be adopted. These include permission-based access, application whitelisting and blacklisting, not allowing files to execute or download and automating the onboarding and offboarding of students and staff so no security holes remain unplugged,” he added.
“Ultimately, there are two types of organization, those that have been attacked and those that will be – and this as true for education as it is every other sector.”