Just in time for our Thursday ransomware post, news breaks that University College London has been hit by a ransomware attack that brought down the UCL student management system as well as shared network drives. Some of the closely related University College London Hospitals have also shut down their email systems to quarantine themselves from attack. There are no reports of the hospital group being affected by the ransomware other than this preventative downtime.
What do we know?
The particular ransomware strain is unknown, as is the infection method. UCL initially believed that the ransomware attack was launched through a phishing attack on Wednesday afternoon (BST). Phishing is one of the most common methods of ransomware deployment. According to a recent report by PhishMe, the number of phishing emails hit 6.3 million in the first quarter of this year, and 93% of them included ransomware.
Put simply; a phishing attack is an email designed to trick the recipient into taking a particular action. The action may be to enter credentials into a form, visit a compromised website, or open a malicious attachment. Attackers research their targets and craft their email attack based on what they learn. A more sophisticated version of this is a spear phishing attack. Spear phishing is more personal and has a higher success rate. There aren't enough details about the UCL attack to know what kind of phishing may have been used to deploy the ransomware.
The second and most recent unconfirmed hypothesis is that the ransomware was deployed through a compromised website. This type of attack is made possible by vulnerable code in a website and visitors with vulnerable clients. Even high-profile sites like cracked.com and stanford.edu have been used to deploy drive-by downloads, phishing kit attacks, and other exploits. Drive-by downloads deliver and execute malware attacks on client machines, often without user interaction. This is not an uncommon threat: Google currently blacklists approximately 20,000 websites a week for malware and approximately 50,000 a week for phishing.
While UCL staff is still not able to confirm details on the attack, here is what is being reported so far:
- The ransomware attack started early afternoon on Wednesday, June 14.
- The university network drives and shared drives were locked down with read-only access to protect them from encryption.
- The drives already encrypted will be recovered by data backup. There should be minimal data loss.
- UCL believes that this was a zero-day attack because university antivirus did not stop the malware.
- Some NHS hospital trusts have shut down their email systems as a precaution to prevent the spread of malware into their systems.
Additionally, NHS Digital has been fighting off speculation that NHS itself has suffered a cyber attack today. The speculation is likely due to the confusion surrounding the hospital trusts that took systems offline.
What can we learn?
Despite how little is known about the attack, there's still quite a bit to consider.
- The dangers of phishing and spear phishing cannot be overstated. A single user can bring down a university, a hospital, a government, with just one careless click. User fatigue, distraction, or foolish confidence, can only be dealt with by user training and awareness.
- Visiting a website can be very dangerous. A compromised website can deliver a set of exploits, or direct a visitor to a separate site that hosts a larger set of attacks. The more sophisticated sites can evaluate a client computer for any number of vulnerabilities, among thousands of possible combinations. Operating systems, applications, missing or incomplete antivirus … all of these things are checked by these exploit kits.
- Consider the comment that the university antivirus did not stop the threat, which led to the speculation that it was a zero-day threat. The university system probably has other security in place, but for our purposes let's assume that antivirus was the only defense. Antivirus protection is necessary but not sufficient protection against modern threats. The best security will include Advanced Threat Protection (ATP) that will detect and detonate threats in the cloud before they reach the target's infrastructure. Machine learning and other advanced techniques allow ATP to adapt quickly and identify zero-day attacks as they are getting started. This type of protection could have stopped that phishing email or the drive-by download before it arrived in the university system.
- The university changed their drives to ‘read only' access to prevent encryption. Some ransomware strains have delayed deployment techniques, and other non-ransomware malware may have been deployed in this attack without the staff noticing. The example of locking down drives shouldn't be taken as anything more than a stop-gap while cleaning and data recovery take place.
- Affiliated organizations shut down email servers to stop the ransomware from getting into their networks. This was probably in response to cooperation and shared information between the organizations. It's important to remember that supply chains can also be attacked, and those victims might not communicate the attack as well as a peer or partner organization does.
- A common attack technique is to distract the victim with one attack while conducting a different stealth attack. This is usually done with a DDoS attack as the distraction and a stealth data exfiltration as the real attack. With a phishing – ransomware attack keeping everyone busy, it may have been a good time for an attacker to try to get into the network to pull out copies of university research.
To be clear, there is no indication that UCL suffered any other attacks, or that the UCL IT staff do not have advanced protection in place. It's obvious from reading the reports on this attack that the staff was intentionally disclosing as little as possible. However, in this climate of non-stop cybercrime, it just makes sense to review these attacks and look for things that we might not have known.
For information on how Barracuda can help you deploy multiple layers of security and data protection, visit our corporate site here. For specific information on how we protect you from ransomware attacks, visit our corporate ransomware site here and our ransomware blog here.