News broke today that University College London (UCL) has suffered a major ransomware attack. The university took the decision to disable access to the UCL N and S drives and some other systems to reduce the likelihood of further infection. IT security experts commented below.
Gavin Millard, EMEA Technical Director at Tenable Network Security:
“While I have sympathy for the predicament UCL finds itself in, ransomware attacks shouldn’t happen as they are completely preventable. In the majority of cases, the malware targets a handful of well-known vulnerabilities so keeping systems patched and up to date goes a long way towards preventing a ransomware attack taking hold.
“That said, we all recognise that patching isn’t always simple. IT and security teams can’t control everything, and the things that they can control can’t always update quickly. While it has become increasingly easy to deploy changes into environments, there are systems that can’t just be updated with a click of a mouse button or a simple script.
“If patching could cause disruption to the organisation, then compensating controls must be put in place and proper, risk-based decisions must be made. Put simply if you can’t patch it, protect it, and if you can’t do either then prepare to pay.
“Continuous visibility into the vulnerability status of every asset in the modern computing environment is critical in understanding the business impact of ransomware attacks and to fundamentally improve how organisations think about cybersecurity.”
Marco Cova, Senior Security Researcher at Lastline:
“For an organisation with a relatively unsophisticated IT infrastructure, with limited or no backup system, a ransomware attack could be devastating. These organisations might be more concerned with targeted attacks that focus on sensitive document exfiltration and access to confidential intellectual property. Ransomware has, and will always have, a ransom note—and therein lies its Achilles’ heel. Unlike other forms of malware, ransomware always contains this one very distinguishable and easily detectable component; It must inform the victim of the attack, and provide instructions for paying the ransom. Security controls benefit from this and other predictable behaviours.
“Advanced malware protection tools can readily and accurately detect these activities as malicious and part of a ransom plot before files are frozen and ransoms demanded. For highly prepared organisations, with controls in place to minimize the ability of ransomware to spread from one machine to another and with plans in place to recover files, continuously updated backup, and anti-malware systems in place, ransomware could be just a nuisance.”
Lee Munson, Security Researcher at Comnparitech.com:
“The ransomware infection spreading through the UCL network is further indication, if any were needed, that this type of insidious malware is a massive problem and one that’s here to stay.
While an unfortunate event, the way UCL has conducted itself after the fact should embarrass many an organisation that has suffered an incident and not responded adequately, if at all.
Through its own website, UCL has explained what has happened, why it may have happened and offered up tips to help prevent the ransomware from spreading further. Additionally, UCL has informed its stakeholders of the exact situation and how it is looking to remediate the issue.
Businesses of all sizes should take note and ensure that incident responders and communications personnel are briefed on just how to deal with a ransomware attack, data breach or other incident should the worst happen to their own company.
Meanwhile, all UCL users should remain vigilant and avoid opening emails from unknown senders and refrain from clicking on links in emails, as should everyone else for that matter.”
Mark James, Security Specialist at ESET:
“Ransomware attacks are currently one of the most talked about malware doing the rounds. It not only causes extreme disruption but in some cases it can mean the loss of personal or private files forever.
As in this case, it’s usually delivered through either an opportunistic or targeted phishing attack through email- the user is often directed to a web link or encouraged to download a file to be run locally. Once infected, the ransomware will take over; encrypting any files it has access too. These will be local on the computer you’re working on, but also any shared drives that are continually connected will be a potential target.
For most, paying the ransom is not an option- remember you’re dealing with criminals; they don’t have to be honest. They have already infected you with malware, so why would you trust them to give your files back?
If you do pay, your money could end up funding the next piece of software or end up paying for other illegal illicit services or products. You have also let them know that you WILL pay the ransom, therefore potentially opening the gates for another attack.
Offline point-in-time backups are the only 100% way to recover from a ransomware attack. Yes, you may find a free online decryption tool, yes, you might get your files back if you pay the ransom and yes, you might be lucky enough to win the lottery tonight; but why take the chance? Backup options are fairly low cost these days.
It looks as though UCL have a good backup option in place so cleaning the malware, and restoring files from backup means that everyone should get back most of their files with little hassle- apart from the obvious disruption this has caused.”
Tony Rowan, Security Consultant at SentinelOne:
“This appears to have been ransomware delivered through email attachments and it’s next to impossible to expect users not to open attachments, especially when in some cases the attackers have created very plausible lures. Clearly we are seeing again that the old guard of AV isn’t able to deal with evolving threats, even the obvious ransomware. For each case of ransomware, we have to ask ourselves how many silent attacks are going unnoticed?”
Dr Malcolm Murphy, Technology Director, Western Europe at Infoblox:
“Ransomware is massively increasing in popularity – with criminals seeing a greater return on ransom, over the smash and grab approach to cybercrime.
“This trend is only set to increase. The last Infoblox DNS Threat Index reported a 3,500 per cent increase in domains that either hosted or communicated with malicious ransomware downloads was recorded in the first quarter of last year, and its commoditisation through cyber-crime toolkits means that even the most novice criminal can deploy it. All organisations must ensure that their security measures are up to scratch: from having all software patched and up to date and making sure users observe best practice, to deploying DNS effectively as an enforcement point to block ransomware.”
Chris Hodson, EMEA CISO at Zscaler:
“Yet again, ransomware has hit the jackpot, and is showing no sign of slowing down.
“As hackers get more savvy and look to expand their target market, we are increasingly seeing a shift from consumer ransomware to corporate malware targeting entire tech-heavy institutions like universities and colleges, all of which hold personal identifiable information in bulk. The outbreak at UCL highlight the sizeable risk of malware spreading within an education environment.
“One thing is for sure, ransomware is the flavour of the moment right now for cybercriminals and the reasons for this are simple. Ransomware is a highly profitable and repeatable architecture. You could call it malware-as-a-service.
“The infection methods using this type of malware can include anything from exploit kits to email phishing, similar to the recent proliferation of WannaCry. With these threats being so real, institutions must identify the best steps they can take to mitigate this ever-increasing risk.
“The first step is to implement a defence-in-depth architecture. Adopting one that can provide dynamic and behavioural analysis of malware would certainly suffice and keep the guard up against ransomware.
“Alternatively, enterprises can fight back by backing up files, not just as a one-off, but continuously and regularly validating the effectiveness of those backups. Taking away leveraging power, by simply enforcing backups, brings the control back to the organisation and away from the hackers.”
“In the coming months, we will continue to see ransomware become increasingly corporate-focused. Enterprises and institutions won’t get away with paying consumer prices for consumer products. Hackers will narrow their attacks to target enterprise servers with PII and in doing so, will demand much, much more.”
Fraser Kyne, EMEA CTO at Bromium:
“Ever since WannaCry became a household name, the security industry has held its breath in dreaded anticipation of the next major ransomware outbreak, and this certainly seems to have the hallmarks. Whilst much of the attention has been focussed on the impact at University College London, it’s been widely overlooked that Ulster University has also reported an IT lockdown following a ransomware outbreak. You don’t have to be a detective to see the pattern there; somebody is deliberately targeting universities. There may be others out there that we don’t yet know of, but either way, I would strongly advise all universities to be on high alert for the potential threat.
“The initial reports are suggesting that the ransomware was able to get in at UCL through a zero-day exploit, which allowed it to bypass antivirus software. That really underscores the limitations of antivirus; in that it is only able to stop things that it knows are bad. Given that most malware is only seen once in the wild before it evolves into something different, there’s very little that antivirus can offer in the way of protection.
“Instead, organisations need to stop trying to catch malware and just let it run, but in such a way that means it can’t cause any harm. Micro-virtualisation is a great way of doing that; ensuring that every task the user executes takes place in a miniature, totally isolated environment, which is disposed of when they close it down. That means ransomware can’t escape anywhere to encrypt any files, so it’s totally harmless.”
Anthony Aragues, Vice President of Security Research at Anomali:
“In the world of credential theft, phishing continues to be a popular method of attack with thousands of new phishing pages created each day. According to FBI reports, they have increased by more than 270% last year. Keeping an eye on the phishing scams that show up in your environment should be prioritised as a useful detection rule. This should also extend to your wider perimeter and malvertising campaigns. But current day email security solutions struggle to keep up with the influx of spam and phishing emails trying to reach users.
“We’re glad to see that UCL and associated trusts set up immediate defences by suspending NHS email systems in order to prevent this scaling further. But organisations should look to invest in a phishing email indicator management system to help companies detect and identify phishing attempts. This extracts indicators of comprise (IOCs) from known phishing emails to provide an early warning for possible scams. Data can also be shared to both internal and external users for better communication and collaboration. While staff training is essential, organisations can also mitigate risk by finding impersonators of their services through image search to uncover unauthorized use of brand assets, or looking at their web logs for references from unauthorized websites.”
Liran Eshel, CEO at CTERA:
“If we can’t eliminate, we must minimize. Companies must enable the rapid recovery of attacked data and files. Until they actually figure out how to stop ransomware by building the right safeguards that eliminate enterprise vulnerabilities. Until then, organizations need to be ready to catch and recover from some serious ransomware crypto-lock events. One consideration: strategic file sync and backup procedures that minimize recovery points to as little as five minutes while making a full recovery of encrypted data.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.