Dutch University Paid Cybercriminals Ransom; Lessons Learned from This Attack

Maastricht University, a government-funded institution in the Netherlands, recently admitted that it paid ransomware attacker a ransom of 30 Bitcoin, valued nearly 220,000 USD at the time of payment.

The University, in a statement, said it fell victim to a ransomware attack on December 23, 2019. While the University’s IT infrastructure consists of 1,647 Linux and Windows servers and 7,307 workstations, the University said, the attacker only hit 267 Windows servers. The University added that backups of these servers were also affected.

In ransomware attacks, attackers prevent legitimate users from accessing their computers or files through the process known as encryption. Attackers then demand from their victims ransom in exchange for the decryption keys that would unlock the encrypted files. Lately, ransomware attackers openly admitted that in addition to encryption, they also steal data. In case victims refuse to pay ransom, some ransomware attackers threaten victims to publish this stolen data.

Vice President of Maastricht University Nick Bos, in a statement, said that while the University has cyber intrusion mechanisms such as Firewall, antivirus software and SURF’s SPAM filter used to filter malicious advertisement and phishing attempts, the attacker still managed to gain access and infect the University’s systems. Bos said in paying the attacker ransom on December 30, 2019:

“On one side of the scale is the importance of ‘not paying criminals’. Although this is not prohibited by law, it is abundantly clear that, for a government-funded institution such as a university, there are some major ethical objections to consider. And as a director, you are horrified by that thought. On the other side of the scale are the interests of students, researchers, staff and the university. In the sense of (unacceptable) risks concerning academic progress, scientific research, sustainable data security, business processes and ‘in the end’ the continuity of the university. Faced with this dilemma, the university administration ultimately made an independent decision that was entirely focussed on the interests of students, staff and the institution: acquiring the decryptor.”

On December 24, 2019, Maastricht University hired Fox-IT B.V. to conduct a forensic investigation. Maastricht University’s Management Summary of the Fox-IT Report showed that the attack resulted in the encryption of very critical systems, including email servers and file servers containing research and business operations data, as well as a number of backup servers.

Lessons Learned

Here are some of the lessons learned from the Maastricht University ransomware attack as determined by the Maastricht University itself:

  1. Better Handling of Phishing Emails

According to Fox-IT, attacker initially gained access to the University’s network via two phishing emails, which were opened on 15 and 16 October 2019 on two workstations.

Maastricht University said that even as each year, the University’s IT Service Desk handles security alerts from nearly 1,000 users – those that received suspicious emails and immediately report them to the IT Service Desk, this isn’t enough as there’s a need for training and tools for users to take the right actions.

  1. Software Patching

According to Fox-IT, on November 21, 2019, the attacker exploited a server with missing security updates, allowing the attacker full rights within the University’s systems. This also allowed the attacker to deploy the Clop ransomware on 267 Windows servers on December 23, 2019, Fox-IT reported.

Clop ransomware was first observed in the wild in February 2019 by MalwareHunterTeam. The original version resembles CryptoMix, a ransomware that first circulated in 2017. The early version of Clop ransomware disables numerous Windows services and processes, including Microsoft Exchange, Microsoft SQL Server, MySQL and BackupExec. In late December 2019, security researchers at MalwareHunterTeam and security researcher Vitali Kremez reported that a new variant of Clop ransomware terminates a total of 663 Windows processes before encrypting files, including Windows 10 apps, popular text editors and programming languages such as Python and Ruby.

Maastricht University said that the University receives nearly 100,000 updates each year and these have to be applied on 1,647 servers and 7,307 workstations. The University said that there’s a need for “updating the software accurately” as attacker abused the loopholes fixed by security updates. The University added that there’s a need for an “accurate” update as reported by Fox-IT, in one server, it wasn’t known how the attacker got in.

  1. Improve Network Segmentation

Network segmentation is the practice of dividing a network into sub-network so that in case of infection of a certain sub-network, the other sub-networks won’t be infected. According to Maastricht University, at the time of the attack, the University’s Windows domain administrator account with associated rights was also used for management and maintenance work on regular servers. This practice, the University said, allowed the attacker “to gain control of the domain via malware and thus perform malicious actions, such as installing malware and ransomware”. 

“In the future, we will, therefore, monitor the use of domain administrator accounts more closely and restrict their use for maintenance of the domain and the domain controllers,” the University said. “We will also further refine the rights structure within the Windows domain.”

  1. Double Backups

Prior to the attack, the University disclosed that it relied on online backups. The attacker, however, was able to encrypt these online backups. “Therefore, in addition to online backups, offline backups must also be provided, so that the scenario of total failure can be prevented,” Maastricht University said.

We develop and implement customized solutions specific to your business to stop ransomware attacks while mitigating further risks. From employee education concerning the IT risks to proactive patching and backup solutions, we got you covered.

Don’t delay. Speak with our experts today at (416) 920-3000 or email sales@genx.ca and protect your organization.

Leave a Reply

Your email address will not be published. Required fields are marked *