Cyber Incident Victim: University College London

On June 14, 2017, University College London (UCL) experienced a significant ransomware attack that disrupted critical systems. The incident began around midday when a phishing email delivered ransomware to UCL's servers. By 5 PM, the university reported major disruptions affecting its shared N (network) and S (shared) drives, as well as its student management system. The ransomware propagated through these drives, prompting UCL to restrict access to read-only mode by 7 PM as a containment measure. The attack was notable for evading detection by the university’s antivirus software, leading UCL to speculate it might involve a previously unseen "zero-day" exploit. No specific ransomware strain was identified in initial reports.

The incident triggered precautionary responses beyond UCL, particularly among NHS hospital trusts with institutional ties. University College London Hospitals (UCLH) reported no direct infections but prompted affiliated trusts to suspend NHS email servers as a defensive action. Barts NHS Trust, the UK’s largest, temporarily shut down its email system due to its operational links with UCLH, citing concerns about potential spread. Similarly, East and North Herts NHS Trust disabled its NHS mail server after warnings from other hospitals, reflecting heightened caution following the recent WannaCry ransomware outbreak in May 2017. The attack coincided with Microsoft’s release of an emergency security update for outdated Windows XP and Vista systems, which addressed vulnerabilities exploitable for WannaCry-style attacks. UCL’s shared drives remained functionally limited during recovery efforts, though the full operational and financial impacts were not detailed in initial disclosures.