University College London, one of the U.K.’s prestigious public research universities, has closed off access to personal and shared drives after a ransomware attack was detected late Wednesday afternoon.
University officials said this morning that this was a web-based infection, reversing claims made in the early hours of the attack that the ransomware was executed via a phishing email attachment.
“Our current hypothesis is that the malware infection occurred through users visiting a website that had been compromised rather than being spread via email attachments,” university officials said. “However this remains unconfirmed at the moment.”
The school said that a dozen local and shared drives were infected by a yet-unknown ransomware, and yesterday officials were calling it a “zero-day attack.”
“Our antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident,” officials said. “We cannot currently confirm the ransomware that was deployed.”
Write-access to the affected drives is being denied at the moment, and users are being told to store files locally, or on Office365 OneDrive or Sharepoint. Users are able to access files, but cannot make changes, nor save any new data to the drives.
“We are reasonably confident that there should be no further infection as a result of using the above services now that we have isolated the infected storage/devices,” officials said.
UCL added that it should be able to recover from backup, likely sparing itself from having to pay the attacker’s ransom demands in order to recover their data.
“We take snapshot backups of all our shared drives and this should protect most data even if it has been encrypted by the malware,” UCL said. “Once we are confident the infections have been contained, then we will restore the most recent back up of the file. Backups are taken every hour.”
The university said today that the compromised website at the core of the infection is still unknown and suggests that it could be one that students, faculty and staff regularly use.
“Clicking on a popup or even just visiting a compromised site may have then introduced the malware to their device,” the school said. “The website could be one that they use regularly. We are still trying to confirm this and determine the site that may have caused the infection.”
The Guardian, meanwhile, is reporting that a number of hospital trusts associated with the university have suspended email services. U.K. NHS health care facilities were among the hardest hit on May 12 by the worldwide WannaCry ransomware outbreak, with many facilities having data encrypted and being forced to move non-critical patients to other facilities.
The Guardian said that Barts Health NHS Trust, the U.K.’s largest, shut down its mail servers given its partnership with University College London, as did East and North Herts NHS Trust. A spokesperson told the newspaper that Barts Health had temporarily shut down email as a precaution against ransomware spreading through its network.
Officials, however, have given no indication that yesterday’s attack is related to WannaCry.
The attack comes a little more than a month after WannaCry hit more than 200,000 computers in 150 countries. It also arrived 24 hours after Microsoft made the unusual decision to provide users of its legacy Windows XP, Vista and Server 2003 products security updates as a precaution against the possibility of what it called “destructive cyber attacks.”
The patches, meanwhile, fixed three remaining vulnerabilities in older versions of Windows that were left over from the April ShadowBrokers’ leak of Windows hacks, including EternalBlue which was used to spread WannaCry.