Dutch institution regrets striking ‘devil’s bargain’ but said it had to put staff and students first
Maastricht University in the Netherlands has paid out nearly $220,000 worth of bitcoin to restore critical systems that were hit by a ransomware attack last year.
Affecting file, email, and backup servers, the cyber-attack prompted a network-wide shutdown and put valuable research and commercial operations data at risk, the Dutch university revealed in a press conference on Wednesday (February 5).
Investigators also found evidence that attackers – believed to be Russian cybercrime group TA505 – had obtained network topology data and usernames and passwords.
Nick Bos, vice chairman of the university board, told journalists that the university’s networks were first breached on October 15 and 16, when two phishing emails were opened on two computers.
On November 21, attackers then compromised several servers, via a server whose latest security update had failed, obtained full admin rights to the network infrastructure.
The ransomware – a variant called ‘Clop’ that was first discovered in February 2019 – then spread to 267 Windows servers.
The university became aware of the intrusion when computers flashed up ransom demands on December 23.
A university spokesperson told The Daily Swig that the network administrators at the Dutch university shut down systems within a few days and notified the police on December 26.
On December 30, they decided to pay the 30 bitcoin ransom. Historic exchange rates place this figure at around $217,000.
Maastricht University live-streamed a press conference into the ransomware incident
The cybersecurity firm hired to investigate the breach, Fox-IT, has published a detailed report (PDF) on the incident.
According to comments translated into English and included in the report, Bos acknowledged “ethical objections” to agreeing to the “devil’s bargain” but said the university, after consultating with supervisory bodies, decided that the consequences of not paying the ransom were too great.
“Making or having a ‘decryptor’ yourself is, according to experts, either impossible or will take a very long time,” he said.
The alternative, he said, was to “rebuild all infected systems” and write off certain, irrecoverable critical data.
“It would take (many) months for UM’s education, research and business operations to even be partially up and running again,” he said.
Independent security researcher Martijn Grooten told The Daily Swig that he was sympathetic to the university’s plight.
“The Fox-IT post-mortem of the incident points to several mistakes that were made,” Grooten said.
“But most of all, it shows what an incredibly difficult task it is to defend networks of this size against the kind of attackers Maastricht University had to deal with: mistakes are bound to be made and attackers will patiently spend months trying to exploit them.
“I would advise those working on the vendor side of security to refrain from making smug comments about what they should have done.”
The Fox-IT post-mortem recommends that the university implements an offline backup system, segments network architecture and user rights, extends log and network monitoring, enhances vulnerability and patch management, and improves awareness of phishing threats among staff.
Somewhat ironically, the launch by the university of a round-the-clock security operations center on January 1 had been planned before the attack took place.
Bos said discussions were underway with other education institutions about establishing a joint 24-hour security monitoring and threat intelligence service.
The report said investigations had so far found no evidence that attackers had extracted any research and personal data.
Bos also reflected on the scale of the challenge ahead: “A university must defend itself against this form of crime with limited resources and with an explicit preference for openness and accessibility. It is a race in which you, as an institution, are tested to your limits.”
A university spokesperson told The Daily Swig that “everything is pretty much back to normal” aside from “maybe a few minor systems not functioning to their full extent”.
RELATED Maryland poised to criminalize ransomware possession