A ransomware attack that infected and encrypted shared drives of 12 computers at University College London has been contained, the university confirmed.
The ransomware attack took place after a number of UCL users visited a compromised website and clicked on a malicious pop-up.
The ransomware in question encrypted N and S drives in affected systems and the university is now working to restore access to these drives at the earliest. “We are reasonably confident that there should be no further infection as a result of using the above services now that we have isolated the infected storage/devices,” the university said.
“We have continued to analyse the infection across the UCL filestore and the method of infection this is still ongoing. We have not seen any more users affected by the malware. We no longer think the infection came from an infected email but from users accessing a compromised website,” it added.
Mark James, Security Specialist for ESET, says that even though UCL has been able to contain the ransomware attack thanks to offline backup options in place, affected users should never pay ransomware to criminals behind such ransomware as there is no guarantee that the latter would release encrypted files or not demand any more money after an initial amount is paid.
“Offline point-in-time backups are the only 100% way to recover from a ransomware attack. Yes, you may find a free online decryption tool, yes, you might get your files back if you pay the ransom and yes, you might be lucky enough to win the lottery tonight; but why take the chance? Backup options are fairly low cost these days,” he said.
Interestingly, a ransomware attack took place at Ulster University around the same time as the one at UCL, leading experts to fear that the ransomware attacks could be much worse than originally believed.
“The University is currently subject to a ransomware attack with significant number of file shares affected. A Computer Emergency Response Team Incident has been initiated to deal with this issue,” said Ulster University in a statement.
““The initial reports are suggesting that the ransomware was able to get in at UCL through a zero-day exploit, which allowed it to bypass antivirus software. That really underscores the limitations of antivirus; in that it is only able to stop things that it knows are bad. Given that most malware is only seen once in the wild before it evolves into something different, there’s very little that antivirus can offer in the way of protection,” said Fraser Kyne, CTO for EMEA at Bromium.
“Instead, organisations need to stop trying to catch malware and just let it run, but in such a way that means it can’t cause any harm. Micro-virtualisation is a great way of doing that; ensuring that every task the user executes takes place in a miniature, totally isolated environment, which is disposed of when they close it down. That means ransomware can’t escape anywhere to encrypt any files, so it’s totally harmless,” he added.