This article is more than 1 year old

Don't touch that mail! London uni fears '0-day' used to cram network with ransomware

Antivirus didn't pick up software nasty, says UCL

Updated University College London is tonight tackling a serious ransomware outbreak that has scrambled academics' files.

It is feared the software nasty may be exploiting a zero-day vulnerability, or is a previously unseen strain of malware as antivirus defenses did not spot it in time, we're told. Eggheads at the UK uni are urged to not open any more email attachments, which may be booby-trapped with the ransomware.

The UCL Information Services Division (ISD) said it had locked down access to the shared and networked drives that have been under siege from the malware since it began infecting users around mid-day Wednesday via an email message.

"Currently it appears the initial attack was through a phishing email, although this needs to be confirmed," the ISD said.

"It appears the phishing email was opened by some users around lunchtime today. The malware payload then encrypted files on local drives and network shared drives. The virus checkers did not show any suspicious activity and so this could be a zero day attack."

Both the shared (S) and network (N) storage drive services have been suspended as the university works to stop the outbreak. Service is expected to be restored in read-only mode later this evening, UK-time.

The ISD said drives that have already been encrypted by the malware will be restored to their most recent backup once the infection is resolved.

In the meantime, the university is warning all students and staff not to open any attachments or click links in emails, and to be wary of suspicious messages from contacts.

"It is vital we all maintain a high level of vigilance when opening unexpected emails. If the email is unexpected or in any way suspicious, then you must not open any attachment or follow any link in the email," the ISD said.

"Doing so may lead to loss of your data and very substantial disruption to the university."

UCL said it will provide an update on the situation tomorrow. ®

Updated to add

UCL now says the cause of the infection looks to be a malicious webpage visited by someone on the network, rather than an email attachment, but no word on whether it was indeed a zero-day exploit. If it's a true zero-day then the top college is a victim; if it's, say, a 2012 exploit, then it's borderline negligence.

The uni also said 12 users had local or shared network drives encrypted.

"Our antivirus software is up to date and we are working with antivirus suppliers to pass on details of the infection so that they are aware of the incident," the IT team said, noting the infection only attacks Windows PCs.

"We cannot currently confirm the ransomware that was deployed."

As of Thursday night, networked and shared drives are in read-only mode, with more work on resolving that issue expected to take place Friday.

More about


Send us news

Other stories you might like