Oleksii - stock.adobe.com

Maastricht University pays €200,000 to Russian hackers

A Dutch university has taken the difficult decision to pay hundreds of thousands of Euros to Russian hackers that compromised its systems through a ransomware attack

Maastricht University has paid nearly €200,000 worth of bitcoin to Russian hackers after 267 servers were compromised in December 2019.

Critical systems for business operations, including mail servers and file servers including research data, as well as a number of backup servers were hit. Eventually, just before the turn of the year, the university paid the cyber criminals to get the files back as soon as possible.

On Wednesday 5 February, Maastricht University organised a symposium at which the research report of the attack was made public and lessons learned were shared. With this symposium, the institute wants to play its part in increasing digital security. In the increasingly intensive fight against cyber insecurity, Maastricht University regards this as its social duty.

According to security company Fox-IT, the origin of the ransomware attack was phishing emails that were opened on two workstations in mid-October. This gave Russian attackers access to the university’s systems.

Subsequently, several servers were compromised, after which full rights were obtained within Maastricht University’s infrastructure via a server with missing security updates. Finally, on 23 December, so-called Clop-ransomware was rolled out on 267 Windows servers. 

For a long time, it was unclear whether the university had paid the ransom, but during the symposium it became clear that 30 bitcoins – which converts to €197,000 – had been paid to the cyber criminals.

Nick Bos, vice-chairman of the university board, told Dutch newspaper AD: “It was a diabolical dilemma. We didn’t decide overnight. As a director, you’re horrified by that thought, but it was a trade-off between the principle of not paying criminals on the one hand, and the importance of the continuity of education, research and our university on the other.”

Inadequate security

Immediately after the hack, Maastricht University called in Fox-IT, which conducted research into the attack (a process still ongoing). The cyber security company concluded that the university had not installed security updates everywhere and that most backups were not kept offline.

After the start of the attack in October, the university could have become suspicious if sufficient detection measures had been put in place, but that was not the case.

“We have taken measures to stop this situation,” Michiel Borgers, CIO at the university told AD. “We’ve asked experts how cyber secure we are, and they told us it was average. No holes, but it turned out to be insufficient.”

Read more about ransomware 

  • Ransomware attacks against the NHS have tapered off dramatically, according to statistics obtained under FoI legislation, but this does not mean the threat has diminished.
  • Travelex switches off computer systems and resorts to cash-only currency sales after malware attack. Insiders claim the currency exchange chain has been hit by ransomware which has left critical files containing customer data encrypted.
  • If you find your systems locked up from a ransomware attack, what should you prioritise? Before you start your recovery, follow this plan to avoid additional trouble.

According to the annual Cyber Security Monitor of Statistics Netherlands – an ICT survey among 12,000 Dutch companies – large companies are more likely to be affected by smaller ones, but no industry is immune to cyber attacks.

VVD MP Dennis Wiersma demands – together with various student organisations – that universities, colleges of higher education and MBOs monitor digital security at their schools.

By doing so, he wants to prevent more educational institutions from falling prey to cyber criminals, because security leaves much to be desired. “Not everything was backed up in Maastricht,” he told Dutch press service ANP in mid-January. “You also wonder how the hackers got in. The security of the systems apparently wasn’t in order either.”

Lessons learned 

During the symposium, the university announced it had learned a number of valuable lessons. For example, the organisation will work on increasing awareness among employees and improving the reporting of phishing emails.

It will also focus on technical measures, such as accurately updating the software and improving the segmentation of the Windows policy, as well as making double backups, which will be stored both online and offline.

Read more on CW500 and IT leadership skills