Ransomware Hits Maastricht University, All Systems Taken Down

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/ransomware-hits-maastricht-university-all-systems-taken-down/

Maastricht University (UM) announced that almost all of its Windows systems have been encrypted by ransomware following a cyber-attack that took place on Monday, December 23.

UM is a university from the Netherlands with over 18,000 students, 4,400 employees, and 70,000 alumni, UM being placed in the top 500 universities in the world by five ranking tables in the last two years.

"Maastricht University (UM) has been hit by a serious cyber attack," the university announced on Christmas Eve, December 24.

"Almost all Windows systems have been affected and it is particularly difficult to use e-mail services. UM is currently working on a solution."

It is currently unknown if scientific data was also accessed or exfiltrated by the attackers during the attack, prior to the systems getting encrypted with the yet unnamed ransomware strain.

Read the rest of this story by Bleeping Computer here:

Ransomware Hits Maastricht University, All Systems Taken Down

Maastricht University (UM) announced that almost all of its Windows systems have been encrypted by ransomware following a cyber-attack that took place on Monday, December 23.

www.bleepingcomputer.com

Website of the university:

News | Maastricht University

www.maastrichtuniversity.nl

 

[oldschool]

This trend will only get worse.

 

[upnorth]

This got me a bit extra curious because these aren't the common peasants.

In order to work as safely as possible, UM has temporarily taken all of its systems offline.

Update: cyber attack at UM

Cybersecurity Insiders has learned that Clop Ransomware which was discovered in Feb’19 was the culprit behind the disruption and is somehow related to CryptoMix Ransomware.

Technically speaking, the developers of Clop Ransomware have devised it in such a way that it encrypts a complete computer network instead of on individual workstations. And as soon as the malware infiltrates the network, it quickly locks down the files from access with a “.clop extension”. And a pop message detailing an email address and the instructions related to payment are then made available on the unencrypted document.

Clop Ransomware is having a history of infecting only Microsoft Windows systems by surpassing the windows defender and shuts down important processes like Microsoft Office before blocking data recovery attempts.

Ransomware attack on Maastricht University of Netherlands - Cybersecurity Insiders

AI is evolving at a rapid pace, and the uptake of Generative AI (GenAI) is revolutionising the way humans interact and leverage this technology. GenAI is

www.cybersecurity-insiders.com

Here's a bit more information about the Clop Ransomware.

Clop Ransomware Tries to Disable Windows Defender, Malwarebytes

In order to successfully encrypt a victim's data, the Clop CryptoMix Ransomware is now attempting to disable Windows Defender as well as remove the Microsoft Security Essentials and Malwarebytes' standalone Anti-Ransomware programs.

www.bleepingcomputer.com

More interesting details can be found in the Hub. Thanks @Der.Reisende and also @Gandalf_The_Grey for the share.

 

[mellowtones242]

Makes me wonder if these institutes and business are aware of all the massive ransomware attacks.

 

[Venustus]

Makes me wonder if these institutes and business are aware of all the massive ransomware attacks.

I'm wondering the same thing..although it could have been a disgruntled student or a faculty member with a bad USB,nevertheless heads need to roll in the IT department.

 

[mellowtones242]

I'm wondering the same thing..although it could have been a disgruntled student or a faculty member with a bad USB,nevertheless heads need to roll in the IT department.

Yes I agree heads need to roll, I can see SMBs being caught of guard but not these big institutes.

 

[Gandalf_The_Grey]

Don't know the inns and outs of this case, but I heard that the malware can be for some time on the system.
In that case even the backups could be infected.

 

[upnorth]

• The buildings of Maastricht University will be open from 2 January, as planned, regardless of the current circumstances concerning the IT systems.
• For students and staff, we want to open temporary "help lines" in the very short term, where you can ask questions and if desired, receive customized service. We will set this up at the central level and at the level of faculties and service centers, tailored as much as possible to the wishes and questions of students and staff. Specific information about this will follow as soon as possible.
• Special attention is currently being paid to urgent and important issues such as timetables, exams, theses, applications (fixus programmes), grant applications, research projects and job applications. We are looking for solutions for this and we want to offer more clarity quickly.

Over the past days, we noticed that many people sympathize with us, both from outside and especially from within our university. It is a sign of the spirit and culture of Maastricht University that many people want to contribute to solving the problems. Many colleagues are already putting their shoulders to the wheel at the moment.

This does us all good and we are very grateful for all the sympathy.

Update #3: cyber attack at UM

www.maastrichtuniversity.nl

This, is good communication. Glad to see and hope they are able as soon as possible to purge all malicious crap from their entire network.

 

[Lenny_Fox]

Writing from own experience at a bachelors and masters university in the Netherlands:

Both IT-managers were former system managers who thought they were the best pro's in their profession because they became the boss (even openly cocky about it).

Most system managers were not the best in their trade (lower salaries at universities for non scholars) with a 9to5 mentality (I get paid less, so I have to work less).

They used often old software (did not invest in newer when functionality still fitted its purpose), resulting in delayed updates of underlaying infrastructural software.

Some dare devil students showed how easy it was to break in when having fysical access on school buildings. The only reason students don't fool those systems are the high impact punishment when a student would get cought.

Personnally I think it is a miracle that this type of infections have not happened much more earlier.

Over confidence, coupled with delayed updates and average skilled IT professionals with 9to5 mentality is asking for an accident to happen.

 

[plat]

Over confidence, coupled with delayed updates and average skilled IT professionals with 9to5 mentality is asking for an accident to happen.

^This !

Ransomware is a fact of life. It's like blaming the gun that shot someone.

Another example of a prime and juicy target paying an exorbitant price for cost-cutter security.

 

[upnorth]

It is of the utmost importance at this moment that students and staff do not perform any actions on UM computers or systems. This applies to both inside and outside the university. This is to avoid any risk for research and repair work and for data retention.

Our own IT people are working on getting our systems online again as soon as possible. UM is assisted by specialists from the renowned cyber security company Fox-IT. Fox-IT is performing the investigation and provides assistance. On the basis of, among other things, the results of that research, UM itself is working on getting the systems 'live'.

Update #4: cyber attack at UM

www.maastrichtuniversity.nl

 

[Aleeyen]

Universities now a days provide emails addresses and online storages to their students (Google drive & One drive), do these also get affected by this kind of attack?

 

[upnorth]

Universities now a days provide emails addresses and online storages to their students (Google drive & One drive), do these also get affected by this kind of attack?

OneDrive does offer the first time recovery free as otherwise it's bundled with 365.

Ransomware detection and recovering your files - Microsoft Support

Learn about the automatic ransomware detection built in to OneDrive and how you can restore your OneDrive if something goes wrong.

support.office.com

Google Drive and iCloud have no such built-in protection, we don’t recommend you rely on them when ransomware is such a serious risk.

Want to Survive Ransomware? Here's How to Protect Your PC

Don't let ransomware ruin your day! Here's how to protect your system, and what to do if it's infected.

www.howtogeek.com

General speaking, restricted accounts helps better. Also I think it's important to understand it's vectors.

“Ransomware is increasingly distributed in nontraditional ways.”

Criminals now disguise it in apps and unvetted software. Or, they transmit it through spear-phishing attacks, in which they target individuals within an organization who are more likely to click on suspicious links.

 

[Gandalf_The_Grey]

Education at UM can be resumed on January 6. Some important systems that are required for this will be available online again from 2 January. This primarily concerns information systems for students that are used for scheduling (inspection only), study materials (Blackboard / ELEUM) and the UM Student Portal as well. Availability does involve more limited functionality. Students will also have to change all their passwords from an external location, outside the UM WiFi network.

Update #5: cyber attack UM

www.maastrichtuniversity.nl

 

[Gandalf_The_Grey]

Update #6: cyber attack at UM
From 2 January onwards, there will be information desks for staff and students at various UM locations. For the time being, nobody is allowed to use UM computers and systems. As stated before, only the most important education related computer systems will offer (limited) availability again from 2 January, 08:00. From that day on, also emails with questions from staff members, sent to the newly installed mailboxes of the faculties and service centres will be read. Students can still address info@m-u.nl

Update #7: New Year’s Day – A Day Offline
At the explicit request of the Executive Board, the deans and management of faculties and service centres, UM staff members of units that have been working all-out behind the scenes for days since 24 December, including Christmas, will have a day off on 1 January. They more than deserve this day of rest.

Update #6 and 7: cyber attack at UM

www.maastrichtuniversity.nl

'Thank you!' from executive board

www.maastrichtuniversity.nl

 

[Lenny_Fox]

One of the systems mentioned in the post of @Gandalf_The_Grey called "Blackboard" was fameous for its delayed updates (and the service frameworks it was build with).

 

[Gandalf_The_Grey]

Statement UM and reponse OM:

Update #8: cyber attack UM

www.maastrichtuniversity.nl

Our experts are still working very hard to make all UM systems operational again. As of today, the most important education-related computers systems have been up and running again, albeit to a limited extent.

Update #9: cyber attack UM

www.maastrichtuniversity.nl

 

[Antus67]

These cyber criminals have sunk to a all time low when attacking a college university. These students are trying hard to get a education and than a job when they graduate and I'm sure they will have to pay a partial amount of money towards their education. These cyber bums need to be sent to college and learn how to become human beings

 

[upnorth]

Cyberhack: Maastricht University pays ransom

Observant Online is de online versie van het onafhankelijke universiteitsblad van de Universiteit Maastricht

www.observantonline.nl

This was reported by well-informed sources at the UM. No official statements are being given.

I read another article from the same source and, insurances was mentioned but not confirmed. If UM actually paid the hackers, it's a extrem disgrace!

 

[Burrito]

I just graduated with honors with a Doctorate in Physics from Maastricht University.

I guess they can't really verify that now.

Oh well.