Maastricht University paid a ransom of 197,000 euros for ransomware attack

Spread the love

Maastricht University confirms that it paid 197,000 euros in ransom after the ransomware attack that hit the institution last year. This was done to guarantee the continuity of education.

This is confirmed by Nick Bos, vice president of the university during a symposium about the attack. There have been rumors for some time that the educational institution paid the ransom after it was hit by ransomware on Christmas Eve. The amount amounted to 30 bitcoins. These were bought ‘at the price of 30 December’. “It was a devilish choice,” says Bos. “We consulted with many parties for a long time and did not take any decisions overnight, but in the end we made the choice. If we had had to reinstall all systems and computers, we would have been weeks, if not months, further. The damage of this is hardly predictable. “

Although paying ransom is not illegal, an important consideration was that the university is funded by taxpayers’ money, Bos says. The university made all backups online only. They were also encrypted. There were no offline backups. “It was important to us that in the event of a breakdown we could get our students and academics back to work as quickly as possible,” says cio Michiel Borgers.

The university did not negotiate the ransom amount with the criminals. That was a conscious choice, says Vice President Bos. “We contacted the criminals after two or three days. They told us the ransom amount. Based on that, we weighed up our best choice.” The university did request verification that the decryption worked, by having an encrypted file decrypted. A deposit with bitcoins was also made to verify that the payment process worked. “We chose a quiet process with little irritation and no sideways. We had a one-to-one relationship with the hackers, and based on that we made an estimate.”

The university was not insured against cyber attacks, or against discontinuity. “We’re considering that right now, we’re looking at the options,” Boss says.

Infiltration

The attackers entered with a phishing link, the university says. They then managed to infect 267 servers of the university with the Clop ransomware. The infection occurred on October 15, according to research by Fox-IT. The research company was called in after the ransomware hit. On November 20, the attackers had complete control over the network, according to Fox-IT. The attackers manually moved through that network. According to the university, “5 or 6 of the 1650 servers at the university” ran outdated software. The infected servers ran on Windows, which included mail servers. The university’s research data was stored on Linux servers that were not infected.

The operation was most likely carried out by a well-known hacker group called Grace-RAT, Fox-IT says. Researcher Frank Groenewegen notes that this concerns attribution and that it is not certain. But, he says, characteristics of the group seemed familiar. “We keep an eye on those characteristics. This group also had many of those characteristics. It is also up to the police to definitively identify the perpetrators.”

Grace-RAT is a well-known hacker group also known as TA505. The group is held responsible for developing the Clop ransomware. The group typically attacks financial institutions, and more recently educational institutions.

The university and Fox-IT say there are no traces of data stolen. Groenewegen of Fox-IT notes, however, that the scope of that study was limited.

Lessons learned

The university mentions a few lessons learned from the attack. It wants to create more awareness about phishing emails. Two students reported to the service desk with a suspicious email. “Unfortunately, there were different URLs in it, so that one was detected but the other was not,” says cio Michiel Borgers. Another problem is that software needs to be better maintained, although the university says that this is a difficult task. “We have 1650 servers and 8000 workstations at the university that get 100,000 updates a year. Only a few servers had outdated software.” The university also wants to segment the networks better. The university wants to ‘consider whether all those servers should be connected’, but emphasizes that it is also important that students and employees can continue to do their work.

Another important point was that there was no good logging policy in place. Borgers: “We found that we were insufficiently detecting deviant behaviour.” The university already planned to set up its own security operations center in 2020. A budget has already been set aside for this. “Unfortunately, that came too late for us.”

Maastricht University will announce the details at its own symposium on Wednesday afternoon. The organization also provides substantive explanations about the attack. The symposium was broadcast live and can be viewed on YouTube.

You might also like