A Dutch university has held a press conference where it admitted paying a 30 bitcoin ransom (approximately 200,000 Euro or US $220,000) to hackers who compromised its network in the immediate run-up to Christmas 2019.
At the press conference, which was live streamed to the internet in Dutch, Maastricht University (UM) staff described what they knew about the attack, the impact which it had on staff and students, and the lessons it had learnt.
Maastricht University’s problems began on 15 and 16 October 2019, when two phishing emails were opened on two different workstations. These emails resulted in attackers being able to gain access to the University systems.
Several servers were then compromised by the hackers from 16 October 2019. On 21 November 2019, the attackers were able to exploit a server which had not received security updates, and managed to obtain full admin rights over the university’s network infrastructure.
The ransomware attack itself occurred on December 23 2019, as the Clop ransomware was deployed to 267 Windows servers, encrypting all files and demanding a ransom be paid for their recovery.
There’s no such thing as a good time for an organisation to handle a cyber attack, but the Christmas holidays pose a specific challenge, as many staff will have plans to spend time with their families over the festive season.
Nonetheless, the University said that “as many as two hundred UM employees did not spend the Christmas holidays undisturbed at home, but worked at least part-time.”
And it wasn’t just IT staff who got called in to help as the University battled to be ready for the return of 19,000 students on 6 January.
“…many staff members from faculties and support services became involved in addressing the effects of the hack because of their knowledge of educational processes and student welfare …. varying from lecturers and staff of education offices to student advisors, student counsellors, student psychologists, timetable schedulers, help desk staff; policy advisors with legal, financial, HR and academic expertise; staff of the university library, facility services who are involved in the early opening of buildings among other things. And, of course, the employees who took charge of internal and external communication so early on in the process.
We were able to call on a great many of our employees and their supervisors. They worked very long days and weeks without a whisper of a complaint and with an enormous loyalty to UM and its students and staff—a sacrifice and endeavour for which we are very grateful.”
One key decision came to a head on 29 December, about a week after the attack: should the University pay the ransom or not?
In its management summary of the incident, produced in co-ordination with security experts at Fox-IT, Nick Bos, vice preisdent of Maastricht University, explained the decision:
Weighing these factors ultimately comes down to the degree and duration in which education, research and daily operations are disrupted if the decryption of data and disinfection of systems is not carried out for a long time. Making or having a ‘decryptor’ yourself is, according to experts, either impossible or will take a very long time (with a duration that is impossible to determine beforehand, if it ever succeeds). And not obtaining a ‘key’ means that UM must rebuild all infected systems completely from ‘scratch’ and must consider the original, often crucial, data (files) associated with the systems as ‘written off’ if and insofar as ‘back-up files’ are not available.
In this case, it would take (many) months for UM’s education, research and business operations to even be partially up and running again. The damage this would cause to the education and work of students, researchers, staff and the risks to the continuity of the institution would essentially be unforeseeable.
If payment would be made to obtain the ‘decryptor’, the continuity of the organisation could in principle be guaranteed much better and much sooner. It would then be sufficient to clean up existing systems that are infected, a process that would take considerably less time than building new systems and copying saved data from backups.
Faced with this dilemma, the university administration ultimately made an independent decision that was entirely focussed on the interests of students, staff and the institution: acquiring the decryptor.
It is a decision that was not taken lightly by the Executive Board. But it was also a decision that had to be made.
And clearly, as the University was able to welcome students back on 6 January and conduct exams “more or less as planned” and suffered “little or no irreparable damage” it feels it made the right pragmatic choice.
The University says it will improve its cybersecurity, and put into effect the recommendations of Fox-IT.
According to the University, it will share information and findings with other universities and higher education institutions, and hopes that by being open about its experiences it will stimulate “a broader discussion and further cooperation”.
To learn more about the attack and its remediation, check out the Maastricht University website.