Ransomware Hits Maastricht University, All Systems Taken Down

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,567
Update #21: cyber attack at UM
24 January 2020

Although many students and employees are able to work again (for the most part) as they did before the cyber attack, the consequences of the hack are not over yet. The Executive Board therefore asks for some patience and understanding regarding issues that have not yet been resolved. Every day, dozens of colleagues are still working to restore everything as quickly as possible and as safely as possible. This update also includes information about the leniency arrangement for students who have been disadvantaged by the attack and the good news that the schedules for period 4 are available. It's also possible again to register online for an open day.
Click to expand...

Update #21: cyber attack at UM

www.maastrichtuniversity.nl www.maastrichtuniversity.nl
Update #22: cyber attack at UM
27 January 2020

From 9 o'clock this morning, students and staff are able to print, copy and scan again from UM workstations. VPN is also up and running, so as of today, people can work safely from home, with secure access to UM servers.
Click to expand...

Update #22: cyber attack at UM

www.maastrichtuniversity.nl www.maastrichtuniversity.nl
 
  • Like
  • +Reputation
Reactions: [correlate], Burrito, Protomartyr and 2 others
Burrito

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
  • Like
Reactions: upnorth, Gandalf_The_Grey and [correlate]
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,567
Lessons learnt cyberattack UM:

Thank you for joining our livestream. During this symposium, we will share all of the information regarding the events as they unfolded during the cyber attack. After the livestream, a report will be published and shared online, which will include Maastricht University’s official statements. If you still have questions after the livestream, feel free to write an email to communicatie@maastrichtuniversity.nl. Please add the subject to your email “Question Cyber attack symposium”.
Click to expand...
Was too long for me to watch, but what happened was (according to Dutch media):
The entry point was a phishing mail.
Not all software was up to date.
No offline backups
They paid the ransom of 197.000 euros (30 bitcoin).

Universiteit Maastricht werd besmet via phishingmail en verouderde software - Security.NL

www.security.nl www.security.nl
Patient Zero:
1920x1080a.jpg
 
Last edited:
  • Like
  • Wow
  • +Reputation
Reactions: Mercenary, RKRN3, upnorth and 6 others
P

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Always a little cringe inside when I read that the ransom was paid. A very expensive lesson, it seems--almost a quarter of a million US dollars (216,000 currently). Well, what's a university without higher learning? Hope they implemented those lessons and will consistently maintain them.
 
  • Like
Reactions: RKRN3, upnorth, Protomartyr and 1 other person
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,567
Some more info from FanJ @ wilders:
In short, what happened according to the above articles:
It all started already on 15 and 16 October 2019 with phishingmails, pointing to malicious document.
There were two servers with unpatched OS.
On 21 November the whole network was compromised: 267 servers and 2 workstations.
The hacker needed to use a certain software to roll out the ransomware further. That was detected by a AV.
The hacker then de-installed that AV.
On 23 December the ransomware was rolled out.
Backups were also encrypted.
The UM paid about 197.000 euro (30 bitcoin).
Click to expand...
www.wilderssecurity.com

Ransomware and Recent Variants

The Week in Ransomware - January 31st 2020 - Taking it to The Courts January 31, 2020...
www.wilderssecurity.com www.wilderssecurity.com
 
  • Like
  • +Reputation
Reactions: Amirqqpq, RKRN3, upnorth and 2 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
I missed watching the stream so thanks for the video share @Gandalf_The_Grey , but I'm not so sure I actually gonna click it. I'm really disappointed at UM and find it as I said before a disgrace that a University can't protect itself. Incompetent staff perhaps? Maybe the students could have done a much better work. :rolleyes:

No matter how exclusive or super rare or even extrem targeted this malware/infection was, with a normal genuine business backup system that is regular used and verified would/should have got their system up and running much faster. But, I don't know how their network actually was/is built and if the ransomware was constant infecting cleaned/new machines. Sounds like that was the case from the quote from Wilders, but I get the feeling the network machine numbers are wrong. Not too important anyway.

You that watched the video, did they mention what main AV they used when they was hit?

Another thing that makes me not wanna watch the video, not now anyway, is that they waited a long long time to spill the truth. That they paid the thieves. Also a pretty big sum. I wonder if their strategy was/is that people will hopefully forget sooner or later that they paid the ransom and instead recall UM as that place that worked their ass off getting everything back. :sleep:
 
  • Like
  • +Reputation
Reactions: Amirqqpq, harlan4096, Protomartyr and 2 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,567
What needs to be done in order to prevent a repeat?

  • The most important thing is creating awareness among students and staff, so that they learn to distinguish between phishing mails and regular e-mails.
  • Better detection and prevention: implementing security updates on all servers and developing 24/7 monitoring
  • Segmentation within the network: among others by implementing ‘fireproof doors’ so that some parts of the network can be shut off from the outside world. And giving fewer people access to all parts of the network.
  • Ensuring there are online and offline back-up
Click to expand...

“Great moral objections” against paying a ransom

Observant Online is de online versie van het onafhankelijke universiteitsblad van de Universiteit Maastricht
www.observantonline.nl
 
  • Like
  • +Reputation
Reactions: upnorth and harlan4096
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
“the continuity of the UM” was at risk, he said. “Study progress, scientific research, sustainable security of data, business processes”; with all of this, the UM ran “unacceptable” risks. Because if files are encrypted and you don’t have the key (“decryptor”), how long would it take to rebuild everything from scratch? That could take weeks, even months, experts ensured the Board. Moreover, that would almost certainly mean loss of crucial data files.
Click to expand...

“Great moral objections” against paying a ransom

Observant Online is de online versie van het onafhankelijke universiteitsblad van de Universiteit Maastricht
www.observantonline.nl
Curious IMO that something that's with most companies, organisations etc is worth much more then anything is always oddly forgotten when ransom gets paid. The Brand itself and in this case, UM ( Maastricht University ). Trust, is also another keyword.
 
  • +Reputation
  • Like
Reactions: Amirqqpq and Gandalf_The_Grey
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
University of Sydney data breach impacts recent applicants
Replies
1
Views
719
News Archive
cofer123
C
Gandalf_The_Grey
    • Applause
    • Like
    • +Reputation
Maastricht University gets partial ransom back after ransomware attack in 2019
Replies
2
Views
985
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
Bot
    • +Reputation
    • Like
Security News Ransomware hits The Big Issue. Qilin group leaks confidential data
Replies
0
Views
927
Security News
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top