On the 23rd of December 2019, the Dutch University of Maastricht (UM) became victim of a ransomware attack. The next day, UM enlisted the help of the cyber security company Fox-IT to help deal with the cyberattack. Fox-IT assisted in crisis management, charting the attack and conducting forensic investigations. They also advised the University during the recovery process.
Symposium Addresses Cyberattack
Yesterday, the University organized a symposium, open to invited guests only. Other interested parties could follow the livestream, which is available for replay as of today afternoon, 6th February 2020 (UTC +01:00). Due to the complexity of the subject matter, however, and the fact that only Dutch media were present, the symposium was held in Dutch. The University Vice President, Nick Bos, disclosed what the university knew about the hack. The initial breach had resulted from an unidentified staff member clicking on a phishing e-mail a month earlier. Early in January, the university said that after the investigation into the hack had been completed, it would share “everything that has been found out” with sister institutes and other interested parties, such as detection agencies and cyber security companies.
Ransom Paid
During the symposium, Nick Bos also revealed that the university had decided to pay the ransom, after carefully considering its alternatives. However, the alternatives would have included rebuilding its entire IT network from scratch. “The damage of that to the work of the students, scientists, staff, as well as the continuity of the institution, can scarcely be conceived,” Nick Bos said. A ransom of 30 bitcoin – worth € 197,000 to be exact, i.e. almost $220,000 – was paid by the university. After making payment, the hackers gave university cyber experts the key to get their system access back. Five weeks after the attack, work has almost returned to normal for most staff. Students can attend classes, take exams, access the online library and more. On the 27th of January 2020, access to the Virtual Private Network (VPN) had also been restored, but only for employees.
Lessons Learned
Cybersecurity firm Fox-IT has helped the university recover and analyze what happened. On the 5th of February 2019, Fox-IT released their report about Project Fontana, the name they gave their investigation. The University of Maastricht has made the report publicly available in the hope that this will help increase digital security and awareness. Some of the lessons learned include, the need:
For better awareness and handling of phishing emails To take appropriate technical measures, such as ensuring software is patched with the latest updates, improving segmentation of the windows domain, and setting-up a 24/7 monitoring system To set-up a configuration management database For double back-ups (i.e. on and off-line backups) to avoid the scenario of a total outage
Fox-IT identified the hackers as TA505, a Russian-speaking criminal group also known as Grace-RAT. This group has attacked numerous large financial and other institutions since 2014.