Ransomware Hits Maastricht University, All Systems Taken Down

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Update #11: cyber attack UM:
At present, we are still working hard to get all UM systems operational again. The most important education-related computer systems are up and running again, though to a limited extent. Work is currently being done to create a clean and safe working environment and to make back-up files available for computer systems that are important for regular business operations, such as email and file servers.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
I can't recall ever seen or heard about anyone update and share their information as frequent after a cyber attack as this University. That specific, I have no problem give credit for.
Yeah, that's indeed good (to read) and open from them.
They also shared information with other universities in The Netherlands so that they can beef up their defences.
Confirmed in the Dutch news (Trouw) for Leiden University.
In Dutch:
Update 12 now live:
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Update 13:
Today saw the resumption of a large part of our work. Our experts have managed to make Outlook and the network drives accessible again very soon, which is very important for our research, education and our organisation as a whole.

Email

Outlook, including email and calendar, will be fully operational from Tuesday 7 January. All emails sent since 23 December will come in.

Data
For storing data, we use shared network drives, such as the J disk (note: letters can vary per unit). These drives are fully accessible again from Tuesday 7 January; files can be opened, viewed, edited, saved and overwritten as usual.

The first operational day
Despite a number of limitations, many activities could continue after the Christmas break without major problems. For example, education started according to schedule and students were able to work in the libraries as usual. In addition, most UM members have now changed their passwords and minor problems with accessing the Wi-Fi have been solved by our help desks.

People responded calmly and showed understanding for the situation at our faculties. Second-year Psychology students applauded when they were briefed at the start of their lectures about the efforts made behind the scenes. At the Faculty of Science and Engineering, scheduled projects started without significant problems. The town hall meeting for Law employees was well attended and there was a lot of understanding and goodwill. Colleagues at the School of Business and Economics were also briefed at the start of the day and a help desk was set up to answer questions. Crowds at the SSC information desk were managed very well.

New Year's reception UM
At the New Year's reception at the end of the afternoon, Martin Paul looked back on the past two hectic weeks. There was a lot of praise for the colleagues who sacrificed their holidays to restore a number of vital processes in a remarkably short time. The Executive Board has a special message for them and all other UM members.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Update #16 cyber attack UM
Lessons learnt

In a few weeks' time, UM expects to be able to publicise the lessons learnt following the attack on our computer systems. For our own sake, but also for the academic colleagues, and other stakeholders. Also towards the media. We expect this to happen on 6 February, when we also want to answer questions that we cannot address while the investigation is still ongoing, so as not to harm the interests of our students and employees as well as the university as a whole.
I'm curious what they have to say and will share with us 🤔
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Update #17: cyber attack UM
We are still working very hard to gradually release more computer systems. We have now entered a phase where daily updates are not to be expected. As soon as there is news, we will report this. We expect to publish a new update on Monday 13 January.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Update #18: cyber attack UM
Symposium ‘Lessons learnt’ on 5 February
The symposium planned by UM to provide more details about the cyber attack will not take place on Thursday 6 February as previously announced, but on Wednesday 5 February. UM would like to share the lessons learned in the wake of the attack on its computer systems with the wider public. During the symposium, the university will also address questions that could not be answered while the investigation was still ongoing. There will be an opportunity for the media to ask questions.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Update #19: cyber attack at UM
Why do cabled internet, printing/scanning/copying and VPN not work yet?
Because of cyber security, it is necessary to monitor workplaces for suspect activities. For that purpose, the monitoring software Carbon Black is currently being installed at all workplaces. As soon as this software is installed at (almost) all workplaces, the cabled network can be opened again. VDI workplaces have a special status, because these are 100% equipped with Carbon Black and therefore already have access to the internet.
For AthenaDesktop workplaces we have (amply) reached the set standard. It is therefore important that also the non-AthenaDesktop workplaces are equipped with the software. The sooner the set standard is reached, the sooner the internet connection can be opened to the entire UM. Look at the FAQ to find out how you can check if your workplace has already been equipped with the correct software. If not, then please contact your local support officer.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
There is also some more info on Carbon Black in that post:
What is Carbon Black?
In response to the cyber attack, UM has taken proactive security measures. One of these measures is the installation of the Carbon Black security tool. This programme runs on all Windows servers and workstations (desktops, laptops, VDI) that fall under the UM domain (for which you have to log in with your UM username and password). Carbon Black is being used in conjunction with the regular virus scanner that UM already uses, with the advantage that threats can be detected faster. The tool monitors specific activity on a computer to enable early detection if malicious parties try to gain access to that computer or to the entire UM network.
What does it mean for your privacy?
Carbon Black cannot access your personal information. Just as a virus scanner scans the files you work on or the websites you visit, so does Carbon Black. The monitoring software examines metadata, such as IP addresses. If it detects an IP address that hackers use, it will set off the alarm bells. In other words, UM is using Carbon Black to detect security incidents, and it does not monitor the behaviour of individual employees or to look into their files.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
I wonder what their "regular" virus scanner is. :unsure:

Hopefully asked about and answered on the 5th. If I can, I'll watch the stream. 🍿:coffee:
I have the same question after reading that post (y)
I will be at work on the 5th so not able to see that stream.
Hopefully, I can see it at a later time.
 

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
Does anyone know what security soft was used on the endpoints, or did I miss that?

I wonder what their "regular" virus scanner is. :unsure:

Exactly.

While one should not issue a damning indictment for whatever AV they have that missed the ransomware --- our MT minds want to know..

So assuming that they already have a full AV -- which they obliquely referenced as "the regular virus scanner that UM already uses" -- they are doubling up on AVs.

I know that's considered 'overkill' now here in MT. But I've pretty much always doubled up on detection/response capabilities on my 'computers that count.'

I used an unmanaged Carbon Black endpoint for a couple of years. It's good. And yep, I ran it with another detection capability too.. At the time, I was running Cylance, CrowdStrike, and Carbon Black on different computers -- and Carbon Black was my least liked of the three -- but it is good. And no, I don't pay for all these... my organization is a highly sought after large customer which sometimes results in free licenses for me.
 

Dex4Sure

Level 3
Verified
Well-known
May 14, 2019
116
These cyber criminals have sunk to a all time low when attacking a college university. These students are trying hard to get a education and than a job when they graduate and I'm sure they will have to pay a partial amount of money towards their education. These cyber bums need to be sent to college and learn how to become human beings:mad:

Hackers/malware coders are often times smarter and more knowledgeable than your average college students or IT admins for that matter. And college does not teach you how to be a human being, no idea where you got that from. Fact of the matter is there are people who are more likely to become criminals than others, its partly genetic, partly about upbringing. These people have decided to use their skills in wrong manner, yes that is correct... But it also shows how bad of a job the college's IT department has done. Maybe if these malware writers were hired for the job instead, they might be able to do a lot better job at keeping these systems safe.

Its sad to say this, but most people who come out of college have this 9 to 5 mentality and you'll never become exceptionally skilled in anything with that mentality. You just do your job, but refuse to spend any extra time in honing your skills. Well, guess what... The people who are the best programmers, hackers, businessmen whatever it is you want to do, they are the kind of people who are obsessed about their profession. They are workaholics. They spend most of their free time in honing their skills. They learn constantly through their life. This is the mindset that breeds success in real life.

I could go on a ramble just how much current education system sucks and how much improvement there is to be made, but I'll leave it for another time.
 

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
Although outdated, the best ransomware analysis is that of McAfee:


Beyond the use of the bat file, the subsequent variants are probably executed in the malware code, it is interesting to note the abuse of:

vssadmin, bcdedit, net.

I would like to advise MT members to monitor these commands.
Needless to say, OSA has predefined rules for controlling them.

Some MT members may want to block commands via registry with the value "Disallowrun".
On my OS XP this does not block command execution at a prompt.
It would be interesting to find out what happens in post XP OS.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top