Maastricht University (UM), in a press release, revealed that it has paid a ransom of 30 bitcoins for unlocking the servers and systems compromised during a large-scale ransomware attack in December 2019.
Here’s What Happened
On December 24, 2019, Maastricht University woke up to the news of a huge ransomware attack that took down almost all the Windows systems on the University’s campus and particularly affected its email services. In order to contain the damages and complete the ransomware attack analysis, Maastricht University itself initiated a complete system and network blackout on the campus.
The University then appointed a digital security firm Fox-IT for their expertise and assistance in carrying out further investigation into the ransomware attack. At the time, the type of ransomware attack or its operator was not disclosed, but in a press conference held last week, the University revealed that Fox-IT found signatures of the hacker group TA505 in the files encrypted during the attack.
Maastricht University’s Ransomware Attack Timeline
A management summary of the Fox-IT report and Maastricht University’s response found that during the time frame of October 15 to 23 December 2019 (inclusive of both dates), the TA505 gained control over multiple servers. Following is the timeline of the events in the leadup to the final ransomware attack:
October 15 and 16, 2019: Attackers from the TA505 group gained access to University computers by means of two phishing emails opened on the mentioned dates.
November 21, 2019: TA505 then used a server with missing security updates to obtain complete access rights into the University’s network infrastructure.
December 23, 2019: After gaining extensive access and privilege rights over the network architecture of Maastricht University, TA505 finally deployed the “Clop Ransomware” on the 267 Windows servers marked as important by the group.
The report summary further gives detailed information that part of the technical infrastructure including 1,647 Linux and Windows servers, and 7,307 workstations were affected during the attack.
Maastricht University Pays the Ransom
After careful assessment and analysis of the Fox-IT’s cyber forensic team, an investigation report was submitted to the Maastricht University’s top management. The top management considered all the possibilities on offer and finally agreed to pay the ransom demanded by the TA505 group. According to Reuters, the University eventually paid a total of 30 bitcoins amounting to US$220,000 (€200,000) for unlocking the systems and servers compromised during the ransomware attack.
The Maastricht University spokesperson said, “It is a decision that was not taken lightly by the Executive Board. But it was also a decision that had to be made. We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff.
The fact that on January 6 and thereafter, we were able to have teaching and exams take place, more or less as planned, that UM researchers suffered little or no irreparable damage, and that we were also able to make the salary payments for 4,500 employees on time, strengthens our confidence that we made the right choice.”