Ransomware Hits Maastricht University, All Systems Taken Down

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Maastricht University (UM) announced that almost all of its Windows systems have been encrypted by ransomware following a cyber-attack that took place on Monday, December 23.

UM is a university from the Netherlands with over 18,000 students, 4,400 employees, and 70,000 alumni, UM being placed in the top 500 universities in the world by five ranking tables in the last two years.

"Maastricht University (UM) has been hit by a serious cyber attack," the university announced on Christmas Eve, December 24.

"Almost all Windows systems have been affected and it is particularly difficult to use e-mail services. UM is currently working on a solution."

It is currently unknown if scientific data was also accessed or exfiltrated by the attackers during the attack, prior to the systems getting encrypted with the yet unnamed ransomware strain.

Read the rest of this story by Bleeping Computer here:
Website of the university:
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
This got me a bit extra curious because these aren't the common peasants.

In order to work as safely as possible, UM has temporarily taken all of its systems offline.

Update: cyber attack at UM
Cybersecurity Insiders has learned that Clop Ransomware which was discovered in Feb’19 was the culprit behind the disruption and is somehow related to CryptoMix Ransomware.

Technically speaking, the developers of Clop Ransomware have devised it in such a way that it encrypts a complete computer network instead of on individual workstations. And as soon as the malware infiltrates the network, it quickly locks down the files from access with a “.clop extension”. And a pop message detailing an email address and the instructions related to payment are then made available on the unencrypted document.

Clop Ransomware is having a history of infecting only Microsoft Windows systems by surpassing the windows defender and shuts down important processes like Microsoft Office before blocking data recovery attempts.

Here's a bit more information about the Clop Ransomware.

More interesting details can be found in the Hub. Thanks @Der.Reisende and also @Gandalf_The_Grey for the share. :emoji_beer::emoji_beer::emoji_beer:
 
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
  • The buildings of Maastricht University will be open from 2 January, as planned, regardless of the current circumstances concerning the IT systems.
  • For students and staff, we want to open temporary "help lines" in the very short term, where you can ask questions and if desired, receive customized service. We will set this up at the central level and at the level of faculties and service centers, tailored as much as possible to the wishes and questions of students and staff. Specific information about this will follow as soon as possible.
  • Special attention is currently being paid to urgent and important issues such as timetables, exams, theses, applications (fixus programmes), grant applications, research projects and job applications. We are looking for solutions for this and we want to offer more clarity quickly.
Over the past days, we noticed that many people sympathize with us, both from outside and especially from within our university. It is a sign of the spirit and culture of Maastricht University that many people want to contribute to solving the problems. Many colleagues are already putting their shoulders to the wheel at the moment.

This does us all good and we are very grateful for all the sympathy.
This, is good communication. Glad to see and hope they are able as soon as possible to purge all malicious crap from their entire network.
 
Last edited:

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Writing from own experience at a bachelors and masters university in the Netherlands:

Both IT-managers were former system managers who thought they were the best pro's in their profession because they became the boss (even openly cocky about it).

Most system managers were not the best in their trade (lower salaries at universities for non scholars) with a 9to5 mentality (I get paid less, so I have to work less).

They used often old software (did not invest in newer when functionality still fitted its purpose), resulting in delayed updates of underlaying infrastructural software.

Some dare devil students showed how easy it was to break in when having fysical access on school buildings. The only reason students don't fool those systems are the high impact punishment when a student would get cought.

Personnally I think it is a miracle that this type of infections have not happened much more earlier.

Over confidence, coupled with delayed updates and average skilled IT professionals with 9to5 mentality is asking for an accident to happen.
 
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
It is of the utmost importance at this moment that students and staff do not perform any actions on UM computers or systems. This applies to both inside and outside the university. This is to avoid any risk for research and repair work and for data retention.

Our own IT people are working on getting our systems online again as soon as possible. UM is assisted by specialists from the renowned cyber security company Fox-IT. Fox-IT is performing the investigation and provides assistance. On the basis of, among other things, the results of that research, UM itself is working on getting the systems 'live'.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Universities now a days provide emails addresses and online storages to their students (Google drive & One drive), do these also get affected by this kind of attack?
OneDrive does offer the first time recovery free as otherwise it's bundled with 365.
Google Drive and iCloud have no such built-in protection, we don’t recommend you rely on them when ransomware is such a serious risk.
General speaking, restricted accounts helps better. Also I think it's important to understand it's vectors.
“Ransomware is increasingly distributed in nontraditional ways.”

Criminals now disguise it in apps and unvetted software. Or, they transmit it through spear-phishing attacks, in which they target individuals within an organization who are more likely to click on suspicious links.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Education at UM can be resumed on January 6. Some important systems that are required for this will be available online again from 2 January. This primarily concerns information systems for students that are used for scheduling (inspection only), study materials (Blackboard / ELEUM) and the UM Student Portal as well. Availability does involve more limited functionality. Students will also have to change all their passwords from an external location, outside the UM WiFi network.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Update #6: cyber attack at UM
From 2 January onwards, there will be information desks for staff and students at various UM locations. For the time being, nobody is allowed to use UM computers and systems. As stated before, only the most important education related computer systems will offer (limited) availability again from 2 January, 08:00. From that day on, also emails with questions from staff members, sent to the newly installed mailboxes of the faculties and service centres will be read. Students can still address info@m-u.nl
Update #7: New Year’s Day – A Day Offline
At the explicit request of the Executive Board, the deans and management of faculties and service centres, UM staff members of units that have been working all-out behind the scenes for days since 24 December, including Christmas, will have a day off on 1 January. They more than deserve this day of rest.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Statement UM and reponse OM:
Our experts are still working very hard to make all UM systems operational again. As of today, the most important education-related computers systems have been up and running again, albeit to a limited extent.
 

Antus67

Level 9
Verified
Well-known
Nov 3, 2019
413
These cyber criminals have sunk to a all time low when attacking a college university. These students are trying hard to get a education and than a job when they graduate and I'm sure they will have to pay a partial amount of money towards their education. These cyber bums need to be sent to college and learn how to become human beings:mad:
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
This was reported by well-informed sources at the UM. No official statements are being given.
I read another article from the same source and, insurances was mentioned but not confirmed. If UM actually paid the hackers, it's a extrem disgrace!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top