The University College London (UCL) was hit by ransomware last Thursday, June 15. The virus managed to spread to both personal and shared drives in the university’s network.
UCL admins made a series of publications on the educational institution’s official website to keep people updated. They explained that the infection was most likely purported by a zero-day attack. It was stated that their antivirus systems failed to identify the threat.
“Our antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident. We cannot currently confirm the ransomware that was deployed,” said the admins in one of the updates.
Despite not being able to identify the infection, UCL stated in a Twitter post that it is not the notorious WannaCry. This particular program has had people on the edges of their seats ever since it launched an unprecedented attack back in May. The virus penetrated Windows systems using a SMB vulnerability which Microsoft had patched back in March. Outdated systems and users who had not processed the update fell victim to the attack.
The admins managed to get a hold of the situation, as they had backups to work with. On Friday morning, UCL posted an update on their progress. It was stated that some of the drives had been cleaned and that write access would be restored as soon as possible.
The likely culprit – a compromised website
It is yet to be determined how the ransomware reached the network, but the admins believe the source for the zero-day attack to be a compromised website. This would have happened when the domain was accessed by a computer from the university’s network.
In the final update from Friday, UCL stated the following: “We are continuing to investigate the infection that is affecting UCL users. Our current hypothesis is that the malware infection occurred through users visiting a website that had been compromised rather than being spread via email attachments. However this remains unconfirmed at the moment”.
This morning, the university confirmed the restoration of all remaining drives.
The ransomware managed to encrypt files on the infected drives, but it did not succeed in getting the university to pay, as backups were available.
To avoid such occurrences in the future, UCL turned to its students for help with preventing attacks. The university warned pupils not to open emails with suspicious origin, access attached files or follow links from dubious messages. Websites with an unconfirmed security status and domains which cause erratic system behavior are to be avoided. The university instructed its students to report signs of ransomware and any other infections to the Service Desk as soon as possible.