Maastricht University (UM) was affected by a cyberattack in which the hackers encrypted some of its critical systems in December last year. They revealed that they had paid the ransom of 30 bitcoins demanded by the hackers.
UM is a university in Netherlands having around 4,500 employees, 18,000 students and 70,000 alumni, and is among the top 500 universities in the world.
The university explains that a part of their technical infrastructure was affected during the attack and it comprises of 1,647 Linux and Windows servers and 7,307 workstations.
The attack finally focused on 267 servers of the Windows domain and the attackers focused on encrypting data files in the Windows domain. It also affected the backup of a few systems.
The university says that all critical systems now have online and offline backups to avoid a failure in case of any future attacks.
TA505 behind the attack
The financially motivated hacking group TA505 (also named SectorJ04) is believed to be behind the attack and they are known for mainly targeting retail companies and financial institutions since at least late 2014.”
The group is also known for using remote access Trojans and malware downloaders that delivered the Dridex and Trick banking Trojans as secondary payloads during their campaigns, as well as several ransomware strains including Locky, BitPaymer, Philadelphia, GlobeImposter, and Jaff on their targets’ computers.
The hackers managed to infiltrate the university’s systems through two phishing e-mails that were opened on two UM systems on October 15 and 16.
Later when they attained admin rights on an unpatched machine, they moved through UM’s network compromising servers until it finally deployed the Clop ransomware payload on 267 Windows systems.
After the attack, the services of security company Fox-IT were secured to assist with the incident’s forensic investigation, the crisis management process, and to provide advice during the recovery.
It was however confirmed that the research and personal data was not exfiltrated.
The university also disclosed that they paid the ransom to get the files decrypted on December 30. They received the ransomware decryptor from the attackers by paying a ransom of 30 bitcoin (approximately $220,000 or €220,000) to restore all the encrypted files.
By paying the ransom the university avoided the need to rebuild all the compromised systems from scratch, losing all the research, educational, and staff data and delaying exams and salary payments to the university’s 4,500 employees.