Last week saw University College London, one of the world’s leading universities, hit by a major cyber-attack.
The attack has also led to a number of hospital trusts suspending their email servers as a precautionary measure, in an attempt to prevent the repetition of last month’s damaging WannaCry epidemic.
Here, some cyber security experts, share their views
Marco Cova, senior security researcher at Lastline said: “For an organisation with a relatively unsophisticated IT infrastructure, with limited or no backup system, a ransomware attack could be devastating. These organisations might be more concerned with targeted attacks that focus on sensitive document exfiltration and access to confidential intellectual property. Ransomware has, and will always have, a ransom note—and therein lies its Achilles’ heel. Unlike other forms of malware, ransomware always contains this one very distinguishable and easily detectable component; It must inform the victim of the attack, and provide instructions for paying the ransom. Security controls benefit from this and other predictable behaviours.
“Advanced malware protection tools can readily and accurately detect these activities as malicious and part of a ransom plot before files are frozen and ransoms demanded. For highly prepared organisations, with controls in place to minimize the ability of ransomware to spread from one machine to another and with plans in place to recover files, continuously updated backup, and anti-malware systems in place, ransomware could be just a nuisance.”
Perhaps this attack was actually aimed at University College London Hospitals, an NHS trust closely associated with the university, and the university itself wasn’t the true target
Andrew Bushby, UK director at Fidelis Cybersecurity, added: “Since the WannaCry ransomware so publicly hit NHS computers – as well as the newspaper headlines – University College London will be extremely concerned that it’s been hit by a ransomware attack potentially of the same ilk. Ransomware is often delivered by exploit kit or by email. The College has said that, in this instance, the likely cause was a phishing email, however it hasn’t been confirmed whether it was a staff member or a student that fell victim to the malicious strike.
“Phishing scams are a numbers game for attackers; they often send out high volumes of messages but know that only a small percentage of attempts are required to penetrate a network. Academic institutions in particular are faced with unique challenges in cybersecurity, including the large number of ‘non-corporate’ machines that use their services on a daily basis and the natural focus on sharing and openness, both of which expand the threat landscape without corporate control.
‘Technology can’t always guarantee that all malicious emails are blocked, and many do breach perimeter defences. With such valuable data and intellectual property at risk, the focus should therefore be on security teams building a strong defence in depth and providing as clean an infrastructure for their students as staff, as well as educating staff and students to be more vigilant when it comes to security, and utilising technology which can detect malicious behaviour, rather than only prevent it. It’s also important to ensure machines are fully patched to avoid scammers using known malware to compromise a network. If there is one thing the breach of such a prestigious academic institution such as UCL shows, it’s that everyone is at risk.”
‘Hatem Naguib, SVP and GM Security at Barracuda, concluded: ‘The aspect that’s interesting with the University College London ransomware attack is its irregularity. While phishing is the most common way to launch a ransomware attack, with our recent research highlighting that 76% of ransomware attacks start with a phishing email, an education institution isn’t even in the top 5 industries in terms of targets.
‘Perhaps this attack was actually aimed at University College London Hospitals, an NHS trust closely associated with the university, and the university itself wasn’t the true target. That would fit more closely with how cybercriminals typically operate, as healthcare is the third biggest target after financial and government organisations.
‘If this is what the cybercriminals were trying to do, then they could also be targeting other organisations who are either linked to NHS trusts or within their supply chains, in an attempt to get through to NHS systems through a ‘side door’. We’d advise all organisations with close links to the NHS to ensure their current ransomware protection is fit-for-purpose and to be extra vigilant.’