UCL ransomware attack traced to malvertising campaign
Researchers finger trojan-slinging AdGholas group
Security researchers have suggested that the ransomware attack on University College London last week was spread through a "malvertising" campaign.
Proofpoint reckons the AdGholas group spread the infection using malware-tainted online ads. This was a "zero-click required" campaign that could infect users who simply visited a compromised site1.
More specifically, the Astrum Exploit Kit was used to deliver the Mole ransomware, Proofpoint said. Mole is a member of the CryptFile2/CryptoMix ransomware family.
On June 15, 2017, several universities in the UK including UCL and Ulster reported that they were victims of a "zero-day" ransomware attack. This was unrelated to a separate spam campaign spreading the Dridex banking trojan, Proofpoint said.
This week both Ulster and UCL said they had restored staff and student access to their respective computer networks. We asked support staff at both institutions to comment of the malvertising theory but are yet to hear back.
The AdGholas group has specialised in slinging banking trojans in the past so the latest campaign represents a notable switch in tactics.
Proofpoint's theory, if verified, runs counter to earlier speculation that a lecturer or student visiting a dodgy site or opening a booby-trapped email was to blame for first letting ransomware into UCL's environment. Phishing emails in general are a frequent source of ransomware outbreaks and UCL's defences were not particularly robust, according to at least one security vendor.
Steven Malone, director of security product management at Mimecast, commented: "UCL appears to be running 'naked' Office 365 for its email security gateway. This is case in point for why all organisations need to ask if they are happy to trade defence-in-depth strategies for single vendor reliance when moving to the cloud.
"The vast majority of ransomware attacks are spread by email yet many organisations have still not put any additional security controls in place. Real-time checks on links and converting all incoming attachments to safe formats seriously reduces the risk of infection." ®
1These compromised sites hosted an exploit kit that used software vulns to push malicious code onto the Windows PCs of visiting surfers, a common hacking and malware distribution technique.