See Our Threat Analysis of University College London Ransomware Attack
- Ransomware has hit the news again in the UK today only a few short weeks since the WannaCry outbreak crippled the National Health Service.
- This time University College London (UCL) was hit by a ransomware strain which has resulted in them having to take down parts of their network to stop infected machines harming key university data.
- Credit to UCL for what looks to be a fast and public response for what must have been a tough couple of days for their IT team.
The information University College London (UCL) has made available suggests that while their AV was patched up-to-date the new strain of ransomware has breezed straight past it. The only reason infection has not spread fully through the UCL network is the valiant efforts of their IT team taking unaffected areas of their network off line to contain the infection. All very “Hollywood” but I am sure their IT team would have preferred a less exciting way to deal with the problem.
When the dust settled, phishing may have been the culprit.
The UCL blog states that initially the infection was believed to have been trigged by a user clicking on a phishing email [Subject title: Copy of K9b Form assessed by : James Eley-Gaunt] although by the end of yesterday it was looking more likely that the infection had happened simply by an unlucky user navigating their browser to an infected website.
Full details are still not clear but hopefully once UCL have had time to repair their network they will be able to share the exact strain of malware that hit them. At present the comments section of The Register (we appreciate this is likely only slightly more accurate than Wikipedia) indicate that this java script file is the cause of infection; at the time of writing only listed as being detected by 13 of the 54 engines reporting to VirusTotal. Big traditional AV engines such as McAfee are also still not reporting it as malware.
Our threat report shows what the malware is doing while running.
This morning we downloaded and ran the malware sample on a laptop which is using our isolation technology. While the malware was isolated safely away from the rest of the computer we used our LAVA engine to produce an automated report as to what the malware is doing while it is running. If you are looking for detail on what the malware is doing, read the Bromium Threat Report.
This event is a stark reminder that another catastrophic malware event is inevitable.
Given that another publicly visible attack has happened so soon it would be smart to assume that attack will happen within months rather than years. It also demonstrates that the traditional approach of simply trying to detect bad things on the network is deeply flawed. Ransomware, by its very nature, publicly announces its arrival and yet despite UCL following best practice and keeping their traditional AV patches up-to-date, it completely failed to offer any protection at all. If AV can’t spot files being encrypted and a UI announcing the malware is there, what hope does it have in preventing something that is trying not to be noticed?
Our isolation technology eradicates the risk of this sort of attack.
Being able to actively seek out a piece of malware responsible for bringing down an organisation such as UCL and just run it without fear demonstrates the power of isolation in preventing malware infection. The principle of isolation is why Bromium can run the Bring Your Own Malware challenge, why I am comfortable to run malware on my corporate laptop, and why our customers see such value in our product.
Ready for a demo? Contact us for a meeting and plan on stopping by our booth this summer at Black Hat and VM World.