Maastricht University finally paid a 30 bitcoin ransom to crooks

Pierluigi Paganini February 09, 2020

In December, Maastricht University was hit with ransomware attack, now the university admitted to have paid the ransom requested by crooks.

In December 2019, Maastricht University (UM) announced that ransomware infected almost all of its Windows systems on December 23.

Maastricht University is an excellent university attended by over 18,000 students, roughly 4,400 employees, and 70,000 alumni.

“Maastricht University (UM) has been hit by a serious cyber attack. Almost all Windows systems have been affected and it is particularly difficult to use e-mail services.” stated a notice published by the UM in December. “UM is currently working on a solution. Extra security measures have been taken to protect (scientific) data. UM is investigating if the cyber attackers have had access to this data.”

At the time the university did not reveal details of the attack or family of ransomware that infected its systems. It is unclear if the attackers have exfiltrated data from the systems before encrypting them.

Now the university (UM) admitted to have paid a ransom of 30 bitcoin requested by the attackers.

“Since the cyber attack on 23 December 2019, UM has been working hard: on the one hand, to repair the damage and, on the other hand, to make education and research possible again as soon as possible.” read a management summary of the Fox-IT report and UM’s response.

“Part of our technical infrastructure was affected during the attack. That infrastructure consists of 1,647 Linux and Windows servers and 7,307 workstations. The attack ultimately focused on 267 servers of the Windows domain. The attacker focused on encrypting data files in the Windows domain. The backup of a limited number of systems was also affected.”

Now all critical systems at the University are online and offline backups were secured by the company.

According to security experts at Fox-IT, the ransomware attack is compatible with other attacks carried out by the TA505 cybercrime gang.

“The modus operandi of the group behind this specific attack comes over with a criminal group that already has one has a long history, and goes back to at least 2014,” reads the Fox-IT full report to UM (in Dutch).

TA505 hacking group has been active since 2014 focusing on Retail and banking sectors. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.

The TA505 group was involved in campaigns aimed at distributing the Dridex banking Trojan, along with LockyBitPaymerPhiladelphiaGlobeImposter, and Jaff ransomware families.

Security experts from cyber-security firm Prevailion reported that TA505 has compromised more than 1,000 organizations.

Recently Microsoft warned that TA505 changed tactic in an ongoing malware campaign

Fox-IT experts believe that TA505 hackers compromised the university’s systems via phishing messages, at least two malicious e-mails were opened on two UM systems on October 15 and 16.

The attackers gained admin rights on an unpatched machine until November 21 and used lateral movements to infect as much system as possible with the Clop ransomware.

After careful analysis of the possibilities, on December 30, the Maastricht University paid the ransom to decrypt its files.

UM acquired the ransomware decryptor by paying a 30 bitcoin ransom (roughly $220,000 or €220,000).

During the investigation, traces were found that show that the attacker collected data regarding the topology of the network, usernames, and passwords of multiple accounts, and other network architecture information,” reads the report. “During the investigation, traces were found that show that the attacker collected data regarding the topology of the network, usernames and passwords of multiple accounts, and other network architecture information. Fox-IT did not find any traces within the scope of the investigation that point to the collection of other types of data.”

The decision was taken by the Executive Board after evaluating the consequences of a prolonged downtime on the servers at the university.

“It is a decision that was not taken lightly by the Executive Board. But it was also a decision that had to be made,” states UM. “We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff.”

“The fact that on 6 January and thereafter we were able to have teaching and exams take place, more or less as planned, that UM researchers suffered little or no irreparable damage, and that we were also able to make the salary payments for 4,500 employees on time, strengthens our confidence that we made the right choice.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Maastrict University, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment