Single suspicious case at TU/e caused by ‘WannaCry’
At TU/e this past weekend a single “suspicious case” was registered that may have been related to the worldwide WannaCry ransomware attack. According to ICT Services, the laptop in question, being used by a researcher, was immediately isolated from the network, and no damage appears to have been caused.
Media announcements about a worldwide ransomware attack were already being noted Friday evening by ICT Services, more specifically by the Computer Emergency Response Team (CERT) that goes into action when an ICT calamity occurs. Headed up by Peter Kerkhofs, this team is staffed by technicians from "every major branch of ICT", says Thieu Mennen, head of the back office department at ICT Services.
The CERT team, which also convened several times today supported by the various team leaders, first compiled an analysis of the threat, its size and significance for the university. Contact was also made with SURF, the ICT organization for higher education. “They carry out the first major mail filtering, after that we apply our own filters. This gives us the greatest chance of filtering out everything harmful.”
Mennen continues: “It also turned out that patches are available that can protect against this attack, for both Windows environments and virus scanners. But patches for virus scanners, says Mennen, are also without exception reactive, “they are always available right after an attack, so they rarely enable you to prevent one.”
At present ICT Services is monitoring the network extra closely; which led to them spotting the attempted attack on the laptop of an individual researcher as mentioned above, explains Mennen: “In the first WannaCry attack, if the user clicked on something, a connection was made with a server outside the network so that damaging software could be downloaded. We spotted that activity. Next, we studied the network to establish which computer was generating this activity, and we were able to isolate it immediately.”
Mennen: “Cybercriminals now work in such sophisticated ways, gathering information about you in advance from various sources, so that the email you receive often really does seem to be for you personally. Using, say, an unsubscribe button, they try to get you to click on a link. The power of the attack lies in the fact that if the recipient clicks on a link or opens a mail attachment, the virus reproduces like crazy all over their network and infects everything that isn't security protected. And as an individual, you can do absolutely nothing to stop it.”
His advice is this: check regularly for system and program updates (“Don't wait to be notified by Windows.”) and keep your virus scanner activated and up to date. And: do not click on any emails (whether in your TU/e account or any personal accounts), links or attachments that you do not trust. Instead, pass them on to abuse@tue.nl or go along in person to the service desk in MetaForum or Matrix.
Discussion