Cyber Incident Victim: Ulster University
Date:
Jun 2017
Location:
United Kingdom
Summary
Ulster University experienced a ransomware attack impacting three departmental file shares, restricting access to read-only mode. The institution's antivirus partner suspected a zero-day exploit as the cause, potentially bypassing traditional defenses, with initial infection possibly originating from a compromised website visit. Pre-incident backups were available to facilitate recovery, minimizing operational disruption. This incident coincided with a similar attack on another UK university, occurring amid a broader surge in ransomware targeting the country, which led Europe in such attacks during the period. The UK's ransomware detection rates significantly outpaced other European nations, reflecting heightened vulnerability to these threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 16, 2017, Ulster University in Northern Ireland experienced a ransomware attack that disrupted its operations. The university's Information Services Division (ISD) identified the incident on the same day University College London (UCL) faced a similar outage. Initial analysis by Ulster's antivirus partner suggested the attack involved a zero-day exploit capable of bypassing traditional security measures. The ransomware encrypted data across three departmental file shares, forcing the university to restrict access to these systems to "read only" mode to prevent further spread. This containment measure remained active at the time of the article's publication.
The ISD confirmed it maintained backups of all shared drives, including a successful backup completed at close of business on June 12, 2017. These backups were intended to facilitate data restoration once the infection was fully contained. No data loss was reported due to the availability of these backups. Concurrently, UCL revised its initial assessment of its own attack, determining the ransomware infiltrated its systems through a compromised website rather than a phishing email attachment. Broader context from Malwarebytes revealed the UK experienced a 57% year-on-year increase in ransomware attacks during this period, with three times more detections than France in Q1 2017. UK organizations overall saw a 500% annual surge in cyberattacks, with ransomware representing a significant portion of this activity.