A leading university in London is fighting to regain control of its computer networks after a strain of ransomware infected it systems this week (14 June). The campus' IT team has said the malware gained a foothold via phishing emails but stressed that up-to-date backups exist.
Experts from University College London (UCL) said initial analysis suggested the malware was part of a "zero-day attack", when software targets a previously-unknown vulnerability, because the standard "virus checkers" did not show any suspicious activity during infection.
Ransomware locks down sensitive computer files and documents before demanding money, usually in the form of cryptocurrency, for their return. One variant, called "WannaCry", recently caused chaos after infecting more than 200,000 machines in 150 countries.
UCL said the ransomware infected a number of user's personal and shared drives, also known as N (Network) and S (Shared) drives. After the IT team became aware of the infection, these were disabled for a short period before being changed to "read-only".
This meant students could access their files but not make changes or save data and officials said some systems will be running significantly slower than usual. On 15 June, UCL said in an update it had no reports of the unidentified ransomware infecting Mac or Linux machines.
It is believed the university keeps hourly backups of its data, meaning restoration from the ransomware should be possible.
A UCL statement read: "We apologise for the obvious impact this will have across the university but it is important that we act quickly to reduce the further spread of this malware.
"We believe that we have currently contained the risk of further infection but this is still under active investigation. UCL's information Security team is actively working with the affected users to identify the source of the infection and to quarantine their machines and file-stores.
"We must continue to be vigilant. If any email is unexpected or in any way suspicious then you must not open any attachment or follow any link in the email. Doing so may lead to loss of your data and very substantial disruption to the university."
Thomas Fischer, threat researcher at Digital Guardian, a cybersecurity firm, believes universities have become "easy targets" of ransomware attacks.
He said: "One of the reasons for this is their open culture and complex user environment. There are large numbers of unmanaged and unsecured smart phones and devices, in the hands of young people who are generally unaware of what a phishing email or web-based threat looks like.
"This – combined with a reluctance to invest in cybersecurity and overworked and underfunded IT departments – leads to an environment in which ransomware attacks can and have flourished."
The UCL IT Twitter feed is currently updating students and staff with real-time updates.
[Update]: The UCL issued another statement at 3pm (BST):
"We are continuing to investigate the infection that is affecting UCL users. Our current hypothesis is that the malware infection occurred through users visiting a website that had been compromised rather than being spread via email attachments.
"However this remains unconfirmed at the moment.
"Our current hypothesis is that the infection started as a result of UCL users visiting a website that had been compromised. Clicking on a popup or even just visiting a compromised site may have then introduced the malware to their device.
"We are still trying to confirm this and determine the site that may have caused the infection. Currently 12 users local or shared drives have been infected and encrypted."
The team said it is "reasonably confident" the infection has now been contained but declined to name the strain of ransomware that was involved. "Our antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident," it said.