News broke today that University College London (UCL) has suffered a major ransomware attack. The university took the decision to disable access to the UCL N and S drives and some other systems to reduce the likelihood of further infection. IT security experts commented below.
Gavin Millard, EMEA Technical Director at Tenable Network Security:
“That said, we all recognise that patching isn’t always simple. IT and security teams can’t control everything, and the things that they can control can’t always update quickly. While it has become increasingly easy to deploy changes into environments, there are systems that can’t just be updated with a click of a mouse button or a simple script.
“If patching could cause disruption to the organisation, then compensating controls must be put in place and proper, risk-based decisions must be made. Put simply if you can’t patch it, protect it, and if you can’t do either then prepare to pay.
“Continuous visibility into the vulnerability status of every asset in the modern computing environment is critical in understanding the business impact of ransomware attacks and to fundamentally improve how organisations think about cybersecurity.”
Marco Cova, Senior Security Researcher at Lastline:
“Advanced malware protection tools can readily and accurately detect these activities as malicious and part of a ransom plot before files are frozen and ransoms demanded. For highly prepared organisations, with controls in place to minimize the ability of ransomware to spread from one machine to another and with plans in place to recover files, continuously updated backup, and anti-malware systems in place, ransomware could be just a nuisance.”
Lee Munson, Security Researcher at Comnparitech.com:
While an unfortunate event, the way UCL has conducted itself after the fact should embarrass many an organisation that has suffered an incident and not responded adequately, if at all.
Through its own website, UCL has explained what has happened, why it may have happened and offered up tips to help prevent the ransomware from spreading further. Additionally, UCL has informed its stakeholders of the exact situation and how it is looking to remediate the issue.
Businesses of all sizes should take note and ensure that incident responders and communications personnel are briefed on just how to deal with a ransomware attack, data breach or other incident should the worst happen to their own company.
Meanwhile, all UCL users should remain vigilant and avoid opening emails from unknown senders and refrain from clicking on links in emails, as should everyone else for that matter.”
Mark James, Security Specialist at ESET:
As in this case, it’s usually delivered through either an opportunistic or targeted phishing attack through email- the user is often directed to a web link or encouraged to download a file to be run locally. Once infected, the ransomware will take over; encrypting any files it has access too. These will be local on the computer you’re working on, but also any shared drives that are continually connected will be a potential target.
For most, paying the ransom is not an option- remember you’re dealing with criminals; they don’t have to be honest. They have already infected you with malware, so why would you trust them to give your files back?
If you do pay, your money could end up funding the next piece of software or end up paying for other illegal illicit services or products. You have also let them know that you WILL pay the ransom, therefore potentially opening the gates for another attack.
Offline point-in-time backups are the only 100% way to recover from a ransomware attack. Yes, you may find a free online decryption tool, yes, you might get your files back if you pay the ransom and yes, you might be lucky enough to win the lottery tonight; but why take the chance? Backup options are fairly low cost these days.
It looks as though UCL have a good backup option in place so cleaning the malware, and restoring files from backup means that everyone should get back most of their files with little hassle- apart from the obvious disruption this has caused.”
Tony Rowan, Security Consultant at SentinelOne:
Dr Malcolm Murphy, Technology Director, Western Europe at Infoblox:
“This trend is only set to increase. The last Infoblox DNS Threat Index reported a 3,500 per cent increase in domains that either hosted or communicated with malicious ransomware downloads was recorded in the first quarter of last year, and its commoditisation through cyber-crime toolkits means that even the most novice criminal can deploy it. All organisations must ensure that their security measures are up to scratch: from having all software patched and up to date and making sure users observe best practice, to deploying DNS effectively as an enforcement point to block ransomware.”
Chris Hodson, EMEA CISO at Zscaler:
“As hackers get more savvy and look to expand their target market, we are increasingly seeing a shift from consumer ransomware to corporate malware targeting entire tech-heavy institutions like universities and colleges, all of which hold personal identifiable information in bulk. The outbreak at UCL highlight the sizeable risk of malware spreading within an education environment.
“One thing is for sure, ransomware is the flavour of the moment right now for cybercriminals and the reasons for this are simple. Ransomware is a highly profitable and repeatable architecture. You could call it malware-as-a-service.
“The infection methods using this type of malware can include anything from exploit kits to email phishing, similar to the recent proliferation of WannaCry. With these threats being so real, institutions must identify the best steps they can take to mitigate this ever-increasing risk.
“The first step is to implement a defence-in-depth architecture. Adopting one that can provide dynamic and behavioural analysis of malware would certainly suffice and keep the guard up against ransomware.
“Alternatively, enterprises can fight back by backing up files, not just as a one-off, but continuously and regularly validating the effectiveness of those backups. Taking away leveraging power, by simply enforcing backups, brings the control back to the organisation and away from the hackers.”
“In the coming months, we will continue to see ransomware become increasingly corporate-focused. Enterprises and institutions won’t get away with paying consumer prices for consumer products. Hackers will narrow their attacks to target enterprise servers with PII and in doing so, will demand much, much more.”
Fraser Kyne, EMEA CTO at Bromium:
“The initial reports are suggesting that the ransomware was able to get in at UCL through a zero-day exploit, which allowed it to bypass antivirus software. That really underscores the limitations of antivirus; in that it is only able to stop things that it knows are bad. Given that most malware is only seen once in the wild before it evolves into something different, there’s very little that antivirus can offer in the way of protection.
“Instead, organisations need to stop trying to catch malware and just let it run, but in such a way that means it can’t cause any harm. Micro-virtualisation is a great way of doing that; ensuring that every task the user executes takes place in a miniature, totally isolated environment, which is disposed of when they close it down. That means ransomware can’t escape anywhere to encrypt any files, so it’s totally harmless.”
Anthony Aragues, Vice President of Security Research at Anomali:
“We’re glad to see that UCL and associated trusts set up immediate defences by suspending NHS email systems in order to prevent this scaling further. But organisations should look to invest in a phishing email indicator management system to help companies detect and identify phishing attempts. This extracts indicators of comprise (IOCs) from known phishing emails to provide an early warning for possible scams. Data can also be shared to both internal and external users for better communication and collaboration. While staff training is essential, organisations can also mitigate risk by finding impersonators of their services through image search to uncover unauthorized use of brand assets, or looking at their web logs for references from unauthorized websites.”
Liran Eshel, CEO at CTERA: