UCL ransomware attack - the industry responds

 One of Britain’s leading universities has been affected by a major ransomware attack.

University College London, which is regularly named alongside Oxford and Cambridge as one of the country’s leading higher education institutions, confirmed it had been hit, and warned staff and students of  "very substantial disruption" that could include loss of personal data.

The attack came as many students were either preparing for, or taking, their final exams, meaning that the opportunity for disruption was huge. So in the wake of another significant ransomware attack in the UK, what does the security industry have to say?

Thomas Fischer, threat researcher and security advocate at Digital Guardian:

"Universities have unfortunately become easy targets for ransomware attacks. One of the reasons for this is their open culture and complex user environment. There are large numbers of unmanaged and unsecured smart phones and devices, in the hands of young people who are generally unaware of what a phishing email or web-based threat looks like. This – combined with a reluctance to invest in cyber security tools and typically overworked and underfunded IT departments – leads to an environment in which ransomware attacks can and have flourished. 

For example, last year, Bournemouth University, which is one of few universities with its own cybersecurity centre, admitted that it had been hit by ransomware 21 times in one year. Perhaps, ironically, education is absolutely key in this environment. Universities have a responsibility to teach students and staff about the tell–tale signs of a ransomware attack or phishing email.”

Barry Shteiman, director of threat research at Exabeam

"With ransomware 'going corporate' we will almost certainly see more vulnerability-based infections within networks. In essence, every server that has vulnerabilities that may lead to phishing, defacing or persistent code injection – could lead to ransomware spreading. 

In the immediate aftermath of an attack such as this, the university is likely performing an assessment by asking questions such as: What was encrypted? Are there backups for the encrypted data? How many changes occurred to that data since the last backup? What's the cost of losing those changes? How long would it take to recover them using other means? Is it possible to recover the data using existing tools or known keys?

The next question is usually whether or not to pay the ransom. If the downtime caused by data unavailability or by the backup restoration process is more expensive than paying the ransom, or if giving up on the encrypted data has a higher cost in lost revenue and intellectual property than remediation, then organisations should pay the ransom, but only if other options have been exhausted."

 Mark James, security specialist at ESET:  

"Ransomware attacks are currently one of the most talked about malware doing the rounds. It not only causes extreme disruption but in some cases it can mean the loss of personal or private files forever. 

As in this case, it’s usually delivered through either an opportunistic or targeted phishing attack through email- the user is often directed to a web link or encouraged to download a file to be run locally. Once infected, the ransomware will take over; encrypting any files it has access too. These will be local on the computer you're working on, but also any shared drives that are continually connected will be a potential target.

For most, paying the ransom is not an option- remember you're dealing with criminals; they don’t have to be honest. They have already infected you with malware, so why would you trust them to give your files back?

If you do pay, your money could end up funding the next piece of software or end up paying for other illegal illicit services or products. You have also let them know that you WILL pay the ransom, therefore potentially opening the gates for another attack.

Offline point-in-time backups are the only 100% way to recover from a ransomware attack. Yes, you may find a free online decryption tool, yes, you might get your files back if you pay the ransom and yes, you might be lucky enough to win the lottery tonight; but why take the chance? Backup options are fairly low cost these days.

It looks as though UCL have a good backup option in place so cleaning the malware, and restoring files from backup means that everyone should get back most of their files with little hassle- apart from the obvious disruption this has caused."

Steven Malone, director of security product management at Mimecast

“UCL appears to be running ‘naked’ Office 365 for its email security gateway. This is case in point for why all organisations need to ask if they are happy to trade defence-in-depth strategies for single vendor reliance when moving to the cloud.

On a positive note it’s good to see they have regular backups in place to protect student data but a true cyber resilience would minimise disruption during the attack.

The vast majority of ransomware attacks are spread by email yet many organisations have still not put any additional security controls in place. Real-time checks on links and converting all incoming attachments to safe formats seriously reduces the risk of infection.”

Chris Hodson, EMEA CISO at Zscaler 

“Yet again, ransomware has hit the jackpot, and is showing no sign of slowing down.

“As hackers get more savvy and look to expand their target market, we are increasingly seeing a shift from consumer ransomware to corporate malware targeting entire tech-heavy institutions like universities and colleges, all of which hold personal identifiable information in bulk. The outbreak at UCL highlight the sizeable risk of malware spreading within an education environment.

“One thing is for sure, ransomware is the flavour of the moment right now for cybercriminals and the reasons for this are simple. Ransomware is a highly profitable and repeatable architecture. You could call it malware-as-a-service. 

“The infection methods using this type of malware can include anything from exploit kits to email phishing, similar to the recent proliferation of WannaCry. With these threats being so real, institutions must identify the best steps they can take to mitigate this ever-increasing risk. 

“The first step is to implement a defence-in-depth architecture. Adopting one that can provide dynamic and behavioural analysis of malware would certainly suffice and keep the guard up against ransomware. 

“Alternatively, enterprises can fight back by backing up files, not just as a one-off, but continuously and regularly validating the effectiveness of those backups. Taking away leveraging power, by simply enforcing backups, brings the control back to the organisation and away from the hackers.”

“In the coming months, we will continue to see ransomware become increasingly corporate-focused. Enterprises and institutions won’t get away with paying consumer prices for consumer products. Hackers will narrow their attacks to target enterprise servers with PII and in doing so, will demand much, much more.”

 Paul Edon, Director at Tripwire

"Ransomware is a serious threat to any IT system regardless of geography or market sector. Despite the recent and well publicised incidents, we still seem to have difficulty preventing the infection and spread."

"The most effective defence requires organisations to follow “security best practises” which includes defence-in-depth. Defence-in-depth is not a term that applies only to technology, a defence-in-depth solution should include People, Process and Technology."

"The people need to be educated as to the dangers of phishing emails, clicking on unknown links and plugging USB drives into corporate devices. The Technology will include multiple off-line backups, and the process will include a comprehensive policy to ensure the backup and recovery process is practiced on a regular basis."