Gandalf_The_Grey

Level 34
Verified
Trusted
Content Creator
Update #21: cyber attack at UM
24 January 2020

Although many students and employees are able to work again (for the most part) as they did before the cyber attack, the consequences of the hack are not over yet. The Executive Board therefore asks for some patience and understanding regarding issues that have not yet been resolved. Every day, dozens of colleagues are still working to restore everything as quickly as possible and as safely as possible. This update also includes information about the leniency arrangement for students who have been disadvantaged by the attack and the good news that the schedules for period 4 are available. It's also possible again to register online for an open day.
Update #22: cyber attack at UM
27 January 2020

From 9 o'clock this morning, students and staff are able to print, copy and scan again from UM workstations. VPN is also up and running, so as of today, people can work safely from home, with secure access to UM servers.
 

Burrito

Level 23

Gandalf_The_Grey

Level 34
Verified
Trusted
Content Creator
Lessons learnt cyberattack UM:
Thank you for joining our livestream. During this symposium, we will share all of the information regarding the events as they unfolded during the cyber attack. After the livestream, a report will be published and shared online, which will include Maastricht University’s official statements. If you still have questions after the livestream, feel free to write an email to communicatie@maastrichtuniversity.nl. Please add the subject to your email “Question Cyber attack symposium”.
Was too long for me to watch, but what happened was (according to Dutch media):
The entry point was a phishing mail.
Not all software was up to date.
No offline backups
They paid the ransom of 197.000 euros (30 bitcoin).
Patient Zero:
1920x1080a.jpg
 
Last edited:

plat1098

Level 21
Verified
Always a little cringe inside when I read that the ransom was paid. A very expensive lesson, it seems--almost a quarter of a million US dollars (216,000 currently). Well, what's a university without higher learning? Hope they implemented those lessons and will consistently maintain them.
 

Gandalf_The_Grey

Level 34
Verified
Trusted
Content Creator
Some more info from FanJ @ wilders:
In short, what happened according to the above articles:
It all started already on 15 and 16 October 2019 with phishingmails, pointing to malicious document.
There were two servers with unpatched OS.
On 21 November the whole network was compromised: 267 servers and 2 workstations.
The hacker needed to use a certain software to roll out the ransomware further. That was detected by a AV.
The hacker then de-installed that AV.
On 23 December the ransomware was rolled out.
Backups were also encrypted.
The UM paid about 197.000 euro (30 bitcoin).
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
I missed watching the stream so thanks for the video share @Gandalf_The_Grey , but I'm not so sure I actually gonna click it. I'm really disappointed at UM and find it as I said before a disgrace that a University can't protect itself. Incompetent staff perhaps? Maybe the students could have done a much better work. :rolleyes:

No matter how exclusive or super rare or even extrem targeted this malware/infection was, with a normal genuine business backup system that is regular used and verified would/should have got their system up and running much faster. But, I don't know how their network actually was/is built and if the ransomware was constant infecting cleaned/new machines. Sounds like that was the case from the quote from Wilders, but I get the feeling the network machine numbers are wrong. Not too important anyway.

You that watched the video, did they mention what main AV they used when they was hit?

Another thing that makes me not wanna watch the video, not now anyway, is that they waited a long long time to spill the truth. That they paid the thieves. Also a pretty big sum. I wonder if their strategy was/is that people will hopefully forget sooner or later that they paid the ransom and instead recall UM as that place that worked their ass off getting everything back. :sleep:
 

Gandalf_The_Grey

Level 34
Verified
Trusted
Content Creator
What needs to be done in order to prevent a repeat?

  • The most important thing is creating awareness among students and staff, so that they learn to distinguish between phishing mails and regular e-mails.
  • Better detection and prevention: implementing security updates on all servers and developing 24/7 monitoring
  • Segmentation within the network: among others by implementing ‘fireproof doors’ so that some parts of the network can be shut off from the outside world. And giving fewer people access to all parts of the network.
  • Ensuring there are online and offline back-up
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
“the continuity of the UM” was at risk, he said. “Study progress, scientific research, sustainable security of data, business processes”; with all of this, the UM ran “unacceptable” risks. Because if files are encrypted and you don’t have the key (“decryptor”), how long would it take to rebuild everything from scratch? That could take weeks, even months, experts ensured the Board. Moreover, that would almost certainly mean loss of crucial data files.
Curious IMO that something that's with most companies, organisations etc is worth much more then anything is always oddly forgotten when ransom gets paid. The Brand itself and in this case, UM ( Maastricht University ). Trust, is also another keyword.
 
Top