Antivirus systems failed to detect the infection, they say

Jun 16, 2017 09:54 GMT  ·  By

The University College London (UCL) has been hit by a major ransomware attack on June 15, with the infection reaching personal and shared drives in the network.

UCL admins explained in updates posted on the official website that the infection was most likely possible because of a zero-day, pointing out that antivirus systems failed to detect any threat.

“Our antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident. We cannot currently confirm the ransomware that was deployed,” one of the updates reads.

On the other hand, in a message posted on Twitter, UCL says that the infection is not WannaCry, the ransomware that hit Windows systems last month and exploiting an SMB vulnerability that Microsoft patched in March. Outdated systems were all vulnerable.

UCL said backups were being restored and this morning, a new statement confirmed that some of the drives infected by the ransomware had been cleaned, with write access to be restored as soon as possible.

Zero-day attack via compromised website

As for how the ransomware reached the network, nothing is confirmed so far, but UCL says that the zero-day attack occurred though a compromised website that was accessed by one of the computers in the university’s network.

“We are continuing to investigate the infection that is affecting UCL users. Our current hypothesis is that the malware infection occurred through users visiting a website that had been compromised rather than being spread via email attachments. However this remains unconfirmed at the moment,” UCL pointed out.

As with any ransomware infection, files on the affected drives were encrypted, but the university hasn’t made any payment for the decryption key as backups were available.

UCL warns students not to open emails coming from untrusted sources and including attachments or links that look suspicious and to avoid visiting websites that appear to be causing systems to behave unusually. Of course, any signs of ransomware or infected data should be reported to the Service Desk as soon as possible.