Incident Details

Incident: University College London Hit by Ransomware Attack - June 2017

Published Date: 2017-06-15

Postmortem Analysis
Timeline	1. The software failure incident at University College London happened on Wednesday, June 14, 2017. - This information is directly mentioned in Article [60371]. - Using the published date of the article (June 15, 2017) and the day of the incident (Wednesday), we can determine that the incident occurred on June 14, 2017.
System	1. University College London's shared drives and student management system [60371, 60646] 2. Hospital trusts' email servers [60371] 3. NHS mail servers [60371]
Responsible Organization	1. The ransomware attack, possibly initiated through a phishing email or a compromised website, was responsible for causing the software failure incident at University College London [60371, 60646].
Impacted Organization	1. University College London (UCL) - The university's shared drives and student management system were brought down by the ransomware attack. Hospital trusts associated with UCL also suspended their email servers as a precautionary measure [Article 60371, Article 60646]. 2. Barts Health NHS Trust - Suspended its mail server as a precautionary measure due to its close links with UCLH [Article 60371]. 3. East and North Herts NHS Trust - Also closed its NHS mail server as a preventative measure after being warned by other hospitals [Article 60371].
Software Causes	1. The software cause of the failure incident was a ransomware attack that likely originated from a phishing email or a compromised website, leading to the encryption and restriction of access to University College London's shared drives and student management system [60371, 60646]. 2. The ransomware attack was not detected by the university's antivirus software, indicating a potential zero-day attack, which refers to an attack that exploits a previously unknown vulnerability [60371]. 3. The attack resulted in the university warning staff and students about the risk of data loss and substantial disruption, highlighting the impact of the ransomware on the university's software systems [60646].
Non-software Causes	1. Phishing email leading to ransomware gaining a foothold on servers [60371] 2. Contact with a compromised website spreading malware infection [60646]
Impacts	1. University College London experienced a "major" ransomware attack that brought down its shared drives and student management system, leading to restricted access to those drives in read-only mode for students and staff [Article 60371]. 2. Several hospital trusts, including Barts Health NHS Trust and East and North Herts NHS Trust, suspended their email servers as a precautionary measure to prevent the spread of ransomware [Article 60371]. 3. The ransomware attack on University College London caused very substantial disruption, risk of data loss, and warned of the damages to files on computers and shared drives [Article 60646]. 4. The attack targeted UCL's online networks, impacting staff and students with the risk of further infection, but the university believed the risk had been contained [Article 60646].
Preventions	1. Implementing robust cybersecurity measures such as regular security updates and patches to prevent vulnerabilities that could be exploited by ransomware attacks [60371]. 2. Conducting regular cybersecurity training for staff and students to raise awareness about phishing emails and suspicious attachments that could lead to malware infections [60646]. 3. Utilizing advanced antivirus software that can detect and prevent zero-day attacks, which are new strains of malware not previously seen in the wild [60371]. 4. Promptly switching all drives in the system to "read-only" following an attack to prevent the malware from causing further damage [60646].
Fixes	1. Implementing robust email security measures to prevent phishing attacks that can lead to ransomware infections [60371, 60646]. 2. Regularly updating antivirus software to detect and prevent new strains of ransomware, including zero-day attacks [60371]. 3. Educating staff and students on cybersecurity best practices, such as not opening suspicious attachments or clicking on potentially compromised websites [60646]. 4. Quickly switching affected drives to read-only mode to prevent further damage by the malware [60646].
References	1. University College London (UCL) [60371, 60646] 2. University College London Hospitals [60371] 3. Barts Health NHS Trust [60371] 4. East and North Herts NHS Trust [60371] 5. GCHQ intelligence and monitoring service [60646] 6. Graham Rymer, ethical hacker and research associate at the University of Cambridge [60646]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident has happened again at one_organization: - University College London (UCL) experienced a major ransomware attack, similar to the WannaCry epidemic that occurred the previous month [60371, 60646]. - UCL faced a "widespread ransomware attack" which led to restricted access to online networks and the risk of data loss and substantial disruption [60646]. (b) The software failure incident has happened again at multiple_organization: - Following the ransomware attack on UCL, several hospital trusts, including Barts Health NHS Trust and East and North Herts NHS Trust, suspended their email servers as a precautionary measure to prevent the spread of the malware [60371]. - The attack on UCL was part of a series of ransomware attacks targeting various organizations, indicating a broader trend of cyber-attacks affecting multiple entities [60646].
Phase (Design/Operation)	design, operation	(a) The software failure incident at University College London was primarily attributed to a phishing email that resulted in ransomware gaining access to the university's servers and spreading through its network and shared drives [60371, 60646]. This indicates a failure related to the design phase, where vulnerabilities in the system's design or security protocols allowed the ransomware to infiltrate the network. (b) The incident also involved the operation of the system, as staff and students were warned about the risk of data loss and substantial disruption due to the ransomware attack [60646]. Additionally, the university took operational measures such as restricting access to online networks and switching all drives to "read-only" mode to prevent further damage by the malware [60646]. These operational aspects contributed to managing the aftermath of the software failure incident.
Boundary (Internal/External)	within_system, outside_system	(a) within_system: The software failure incident at University College London was primarily caused by internal factors within the system. The attack was believed to have originated from a phishing email or a compromised website that led to the ransomware gaining access to the university's servers and spreading through its network and shared drives [60371, 60646]. Additionally, the university took internal measures such as restricting access to drives and switching them to read-only mode to prevent further damage from the malware [60646]. (b) outside_system: The software failure incident also had external factors contributing to it. The attack was likened to the previous WannaCry epidemic, indicating a potential external influence or similarity in the method of attack [60371]. Furthermore, the timing of the attack was noted to be interesting, with suggestions that hackers may have targeted individuals who would be desperate to regain access to their data, such as students working on dissertations [60646].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident at University College London was primarily due to non-human actions. The incident was caused by a ransomware attack, which is a type of malware that encrypts files and demands a ransom for their release. The attack was believed to have originated from a phishing email or a compromised website, indicating that the contributing factors were introduced without direct human participation [60371, 60646]. (b) However, human actions also played a role in the incident. The attack was facilitated by staff or students clicking on suspicious attachments or links in emails, which allowed the ransomware to gain a foothold in the university's systems. Additionally, human actions in terms of cybersecurity practices, such as not opening suspicious attachments and being cautious online, were emphasized as important measures to prevent further spread of the malware [60371, 60646].
Dimension (Hardware/Software)	software	(a) The software failure incident at University College London was primarily due to contributing factors originating in software. The incident was a ransomware attack that spread through the university's network and shared drives after being initiated by a phishing email or a compromised website [60371, 60646]. The attack led to the restriction of access to online networks and shared drives, causing substantial disruption and the risk of data loss [60646]. Additionally, the attack was not detected by the university's antivirus software, indicating a software-related vulnerability [60371]. (b) The incident did not have contributing factors originating in hardware.
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident at University College London was malicious in nature. It was a ransomware attack that was described as a "major cyber-attack" and a "widespread ransomware attack" [Article 60371, Article 60646]. The attack was believed to have been initiated through a phishing email or a compromised website, with the ransomware spreading through the university's network and shared drives. The attackers used destructive software to lock computer systems and threatened to damage files unless payments were made. The incident was compared to the previous WannaCry epidemic, indicating a deliberate attempt to harm the system and disrupt operations.
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The software failure incident at University College London was primarily due to poor decisions. The incident was caused by a phishing email that led to a ransomware attack spreading through the university's network and shared drives [60371]. Additionally, the attack was not picked up by the university's antivirus software, indicating a potential lack of proactive security measures or updates [60371]. The decision to click on the phishing email or interact with a compromised website ultimately facilitated the spread of the malware, highlighting poor decisions that contributed to the failure.
Capability (Incompetence/Accidental)	accidental	(a) The software failure incident at University College London was not attributed to development incompetence. The incident was primarily caused by a ransomware attack that spread through the university's network and shared drives due to a phishing email or contact with a compromised website [60371, 60646]. (b) The software failure incident was accidental in nature, as it was initiated by a cyber-attack involving ransomware that locked computer systems and threatened with damaging software unless payments were made. The attack was not intentionally caused by the university or any development organization but rather by external malicious actors [60371, 60646].
Duration	temporary	The software failure incident at University College London due to the ransomware attack can be categorized as a temporary failure. The incident was described as ongoing on Thursday [Article 60646]. The attack began on Wednesday and by 7 pm, access to the affected drives was restricted, with them being available in read-only mode for students and staff [Article 60371]. The university believed the risk of further infection had been contained and urged staff and students to help reduce any further spread of the malware [Article 60646].
Behaviour	crash, other	(a) crash: - The incident at University College London resulted in the shared drives and student management system being brought down [60371]. - The attack led to restricting access to drives, which are currently available in read-only mode for students and staff [60371]. - The attack caused very substantial disruption at the university [60646]. (b) omission: - The ransomware attack at UCL resulted in the risk of data loss and "very substantial disruption" [60646]. - Students and staff were warned about the ransomware damaging files on their computers and shared drives [60646]. (c) timing: - The ransomware attack at UCL began on Wednesday and was continuing on Thursday [60646]. - The attack was suspected to be a "zero-day" attack, not seen before, as it was not picked up by the antivirus software [60371]. (d) value: - The specific strain of ransomware that hit UCL was not clear, but it was warned that it may be a "zero-day" attack [60371]. (e) byzantine: - There is no specific mention of the software failure incident exhibiting byzantine behavior in the articles. (f) other: - The attack at UCL was described as a "widespread ransomware attack" [60646]. - The attack was initially blamed on phishing emails but later suggested to be from contact with a compromised website [60646]. - The attack targeted computer systems and threatened them with damaging software unless payments were made [60646].

IoT System Layer

Layer	Option	Rationale
Perception	None	None
Communication	None	None
Application	None	None

Other Details

Category	Option	Rationale
Consequence	property, delay, non-human, theoretical_consequence	(a) death: There were no reports of people losing their lives due to the software failure incident in the provided articles [60371, 60646]. (b) harm: The articles did not mention any physical harm to individuals due to the software failure incident [60371, 60646]. (c) basic: There was no indication that people's access to food or shelter was impacted by the software failure incident [60371, 60646]. (d) property: The software failure incident impacted people's material goods, money, or data as ransomware damages files on computers and shared drives where files are saved [60371, 60646]. (e) delay: The incident caused substantial disruption and restricted access to online networks, potentially leading to delays in activities for staff and students at University College London [60646]. (f) non-human: Non-human entities, such as computer systems and shared drives, were impacted by the ransomware attack at University College London [60371, 60646]. (g) no_consequence: The articles clearly described observed consequences of the software failure incident, ruling out the option of no real consequences [60371, 60646]. (h) theoretical_consequence: The articles discussed potential consequences of data loss, further infection, and the risk of more spread of malware, which could be considered as theoretical consequences that were being addressed [60646]. (i) other: The articles did not mention any other specific consequences of the software failure incident beyond those already discussed in the options (a to h) [60371, 60646].
Domain	information, knowledge, health	(a) The failed system was intended to support the information industry as it affected University College London's shared drives and student management system, causing substantial disruption to the university's operations [60371, 60646]. (j) The incident also impacted the health industry as several hospital trusts, including Barts Health NHS Trust, suspended their email servers as a precautionary measure to prevent the spread of the ransomware attack that targeted University College London [60371]. (m) The incident could also be related to the education industry, as University College London, a prominent educational institution, was the primary target of the ransomware attack, leading to disruptions in its academic and administrative functions [60371, 60646].

Sources

University College London hit by ransomware attack - The Guardian - Published on: 2017-06-15
Article ID: 60371
Top university under 'ransomware' cyber-attack - BBC.com - Published on: 2017-06-15
Article ID: 60646

Back to List