XClose

UCL Information Services Division

Home
Menu

UCL-wide Ransomware attack 20 June 2017

14 June 2017

Update 20 June

Following the restoration of personal storage (N: drive) and the remaining shared storage (S: drives) yesterday, all services are now back to normal operation.

Update 9:30 19 June

Following the restoration of personal storage and most S drives on Friday, we are now in a position to restore write access to the remaining S: drives at 09:00 this morning.  After this time, all S: drives will be fully operational.

Bringing back the S drives into read-write mode will not involve any outage.  You should regain write access once your S drives are switched to read-write mode but you may need to reboot your machine.

We continue to request that all UCL staff remain vigilant to the possibility of another infection especially when:

  • Visiting websites that cause your machine to behaviour unusually, for instance by popping up dialogs asking a question.
  • Receiving unexpected or unusual email.  Do not open attachments in such emails or click on links in such emails.

We apologise for the inconvenience this ransomware attack has caused and we will review this incident to ensure any learning points are used to enhance our protection in future.

Please contact the Service Desk immediately to report any unusual behaviour of your computer or any sign that your computer or personal file store has been compromised.

Update: 14:30 16 June

Following the restoration of personal storage this morning we are now in a position to start restoring write access to the S: drives.

We will carry this out in two phases. The first phase of share folders will come back online this afternoon at 2.30pm and the remainder will be restored on Monday morning once full recovery of the corrupted files in these shares has been completed.  The first phase contains about two-thirds of the shared drives.

Bringing back the S drives into read-write mode will not involve any outage.  You should regain write access once your S drives are switched to read-write mode but you may need to reboot your machine.

We continue to request that all UCL staff remain vigilant to the possibility of another infection especially when:
•    Visiting websites that cause your machine to behave unusually, for instance by popping up dialogs asking a question.
•    Receiving unexpected or unusual email.  Do not open attachments in such emails or click on links in such emails.

Please contact the Service Desk immediately to report any unusual behaviour of your computer or any sign that your computer or personal file store has been compromised

Update: 09:30 16 June

Firstly, we would like to apologise again for the obvious disruption to the working of the university that this ransomware infection has had. ISD has been working very hard to minimise the impact of this infection and to restore services as soon as it is safe to do so.

We now believe that we are in a position to reinstate write access to the N drive and give access to user profiles.  There will be a small outage of the N and S drives at 10:00 this morning for approximately 15 minutes to switch the N drives into read/write mode.  Write access to the S drive will remain disabled today. We will reassess S drive access once we are confident that opening up the N drive again has not resulted in further infection or spread of the malware.

ISD has a full backup for all UCL users and backup snapshots are currently running every hour and we will be working today to recover files that have been compromised by the ransomware.

We continue to request that all UCL staff and students remain vigilant to the possibility of another infection especially when:
•             Visiting websites that cause your machine to behaviour unusually, for instance by popping up dialogs asking a question.
•             Receiving unexpected or unusual email.  Do not open attachments in such emails or click on links in such emails.

Please contact the Service Desk immediately to report any unusual behaviour of your computer or any sign that your computer or personal file store has been compromised. 

We will update ISD Service News throughout today (Friday 16 June) as we continue our investigations and restore services. We will use ISD Service News and our Twitter feed for any further updates on this incident.

Update: 18:30 15 June

A final update on this issue for this evening. We have continued to analyse the infection across the UCL filestore and the method of infection this is still ongoing. We have not seen any more users affected by the malware. We no longer think the infection came from an infected email but from users accessing a compromised website. Please be vigilant if you notice an unexpected popup or other unusual behaviour when you access a website close the browser and report it to Service Desk.

We hope to be able to make some changes tomorrow but we will inform all users tomorrow morning before making any changes.


Update: 15:00 15 June

Ransomware infection update


We wanted to provide a further update on the ransomware infection we are currently experiencing at UCL.

We are continuing to investigate the infection that is affecting UCL users. Our current hypothesis is that the malware infection occurred through users visiting a website that had been compromised rather than being spread via email attachments. However this remains unconfirmed at the moment.

We apologise for the ongoing problems this is causing users across UCL and we are working at the highest priority to restore normal services as soon as possible.

Please continue to report any unusual computer activity or problems accessing your files to the Service Desk.

We have created the following FAQ to try and address the various queries we have received so far. We will update this periodically while this incident is ongoing:

Frequently asked questions

1.    Where can I store my work while the N: and S: drive are unavailable?

Normally we would request that you use the N and S drives as they are fully backed up. However there are a number of options available:

  • Storing files locally: for Desktop@UCL users or Desktop Anywhere you can save on a local drive at the following location: C:\Users\<username>\ and create a folder named “NoBackUp” or something else that is meaningful to you
  • If you use Office 365 or Outlook Web Access you can store files on your Onedrive space
  • Some users have access to a Sharepoint allocation where you could also store files
  • External drives/USB sticks can also be used but please be aware of potential loss of data and information security risks


We are reasonably confident that there should be no further infection as a result of using the above services now that we have isolated the infected storage/devices.

2.    What should I do if I suspect my machine/storage has been compromised?

Stop using it immediately and report to the Service Desk

3.    How were machines infected?

Our current hypothesis is that the infection started as a result of UCL users visiting a website that had been compromised. Clicking on a popup or even just visiting a compromised site may have then introduced the malware to their device. The website could be one that they use regularly. We are still trying to confirm this and determine the site that may have caused the infection. Currently 12 users local or shared drives have been infected and encrypted.
If you receive emails with attachments you can open the attachment but please take the usual care to ensure you are confident of the validity of the email sender and the message.

4.    When will we be able to use the N and S drive again?

We are working to restore write access to these filestores as soon as possible. However we will only do this once we are confident that there will be no further spread of the malware as a result of re-enabling read and write of files.

5.    What is the name of the ransomware and why wasn’t it detected by our antivirus programs

Our antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident. We cannot currently confirm the ransomware that was deployed.

6.    Are Mac and Linux machines affected?
Not as far as we are aware. But users of these devices need to follow the same discipline as other users in being vigilant about opening attachments from unrecognised email addresses or clicking on website links in popups.






Update: 09:30 15 June

Ransomware infection at UCL update 09:30 15 June

Yesterday we suffered a ransomware infection that has infected a number of users personal and shared drives. We took the decision to disable access to the UCL N and S drives and some other systems to reduce the likelihood of further infection.

We apologise for the obvious impact this will have across the university but it is important that we act quickly to reduce the further spread of this malware.

We believe that we have currently contained the risk of further infection but this is still under active investigation.

The current status of our systems is as follows:

  • Personal N drives and shared S drives are read only – users will be able to access their files but not make any changes or save to these drives.
  • Desktop@UCL and Desktop Anywhere are working however they will be slower and the systems will not have access to past personalisations and preferences.  You may receive an error message saying you are using the default profile when you log in.
  • Access to some systems that rely on N or S drive write access will also be unavailable such as SITS.
  • We have no reports of the malware impacting Mac or Linux machines


UCL’s information Security team is actively working with the affected users to identify the source of the infection and to quarantine their machines and file-stores.

We must continue to be vigilant.  If any email is unexpected or in any way suspicious then you must not open any attachment or follow any link in the email.  Doing so may lead to loss of your data and very substantial disruption to the university.

The critical incident team will meet again at 12pm today to review the situation and decide when we can bring the impacted systems back online. However, we will not do this until we have confidence that we have isolated the threat and stopped its further spread.  We’ll provide an update after the 12:00 meeting

Please report any unusual emails received or any irregular behaviour of your computer to the Service Desk.

We will continue to update users via ISD Service news and our Twitter account.

Update: 08:00 15 June

UCL continues to be subject to a cyber-attack although we have taken action to stop the spread of the malware.  This includes making all N and S drives read-only.  This means you can read your files but will not be able to update them for the time-being.  Also, some system storage for desktop@ucl has had to be taken offline and this may mean you cannot log into desktop@ucl.  ISD apologises for the inconvenience and are seeking to eliminate the malware and restore service as quickly as possible.

We must continue to be vigilant.  If you receive email that is unexpected or in any way suspicious then you must not open any attachment or follow any link in the email.  Doing so may lead to loss of your data and very substantial disruption to the university.

Update: 18:50 14 June

UCL is currently subject to a major ransomware attack with user N drives and S drives affected. A critical incident has been called to deal with this issue.

Currently it appears the initial attack was through a phishing email although this needs to be confirmed.  It appears the phishing email was opened by some users around lunchtime today.  The malware payload then encrypted files on local drives and network shared drives.  The virus checkers did not show any suspicious activity and so this could be a zero-day attack.

It is vital we all maintain a high level of vigilance when opening unexpected emails.  If the email is unexpected or in any way suspicious then you must not open any attachment or follow any link in the email.  Doing so may lead to loss of your data and very substantial disruption to the university.

To protect our data, we have decided to temporarily block access to UCL N: drives and S: drives to reduce any further spread.  We expect to bring back S and N drives in read-only mode later this evening.  However, these drives will remain in read-only mode until we are confident the infection has been contained.

We take snapshot backups of all our shared drives and this should protect most data even if it has been encrypted by the malware.  Once we are confident the infections have been contained, then we will restore the most recent back up of the file.  Backups are taken every hour.

We apologise for the obvious disruption this will cause however it is important that we reduce the impact of any potential damage as much as possible.

Please report any unusual emails received or any irregular behaviour of your computer to the Service Desk immediately.

We will provide an update tomorrow and keep users updated on Service News and Twitter.

Update: 17:00 14 June

UCL is currently experiencing a widespread ransomware attack via email. Ransomware damages files on your computer and on shared drives where you save files. Please do not open any email attachments until we advise you otherwise.
To reduce any damage to UCL systems we have stopped all access to all N: and S: drives. Apologies for the obvious inconvenience this will cause.

More information on ransomware in our blog: http://blogs.ucl.ac.uk/infosec/2017/02/10/ransomware/

Please report any unusual emails or unexpected behaviour of your computer to the Service Desk.
We will provide updates on this issue via ISD Service News.