Maastricht University gets partial ransom back after ransomware attack in 2019

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,259
Partial success for Maastricht University, following a ransomware attack in 2019. Investigators have managed to seize part of the Bitcoin ransom payments. Due to price increases, this amount is now worth more than the entire ransom at the time. The university plans to put the amount into a fund for students. Here is some information about an incident that is ending with a profit for the university.

The University (UM) of the Dutch city of Maastricht fell victim to a ransomware attack on Dec. 23, 2019, according to my research (see Ransomware infects Maastricht University). All computer systems have been shut down for the moment. Of course, it was super fitting that December 24 was Christmas Eve, because the administrators had focused on Christmas and the students were probably also mostly on Christmas vacation.

As a result of the ransomware infection, all IT systems had to be taken offline. The latest statement from the university, dated January 27, 2020, says that students can copy, print and scan again with internal systems. In February 2020, it was revealed (see this Reuters article) that the university had paid 200,000 euros in ransom in the form of 30 Bitcoins.

As part of the investigation into the cyberattack, Dutch police came across a bank account (specifically, it was a crypto-wallet) that belonged to a money launderer in Ukraine, as can be read here. A relatively small part of the ransom – around 40,000 euros in bitcoin – had been deposited in this account. Dutch prosecutors were able to seize the account in 2020 and found a number of different cryptocurrencies as assets.

Negotiations over the return of the funds from this account dragged on. Dutch authorities have now been able to return the partial ransom to the university after more than two years of negotiations. However, the value of the bitcoin in the Ukrainian account has increased from 40,000 euros at the time to 500,000 euros.

Maastricht University ICT Director Michiel Borgers commented, "This money will not go into a general fund, but into a fund that helps financially struggling students." So now the university has gotten back twice the amount that was paid as a ransom. Could have turned out differently. Currently, the prosecutors are also trying to arrest those behind the attack – but this is likely to be rather difficult.
 

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
I recall this case very well.

 

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,259

Maastricht University wound up earning money from its ransom payment​

However, as UM recently revealed, in a "remarkable development," the Netherlands Public Prosecution Service traced and seized a wallet containing the cryptocurrency paid by the university as ransom in 2019.

"The investigation [..] eventually paved the way for the seizure of the cryptocurrency by the Dutch Public Prosecution Service. As early as February 2020, the investigation team froze a so-called wallet containing part of the paid ransom," UM said.

"The value of the cryptocurrencies found at that time was €40,000; at the current exchange rate, they are worth approximately €500,000."

Although this might seem like the university made a considerable profit within a relatively short time, the €500,000 seized by law enforcement agents represents significantly less than the damage inflicted during the ransomware attack.

These seized funds are now in a bank account under the control of the Netherlands' Public Prosecution Service, and the Ministry of Justice has already initiated legal proceedings to transfer them to UM.

After recovering the money, UM Executive Board said it wants to create a fund that would allow the university to help students in need.

"The cyber attack showed how vulnerable students can be in their study progress, but certainly also financially," explains Vice-President Bos.

"The crises we have experienced since then have only further underlined this vulnerability. In light of this, the Executive Board considers the use of these funds to help students in need very appropriate."
 
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top