Maastricht University pays ransom to hackers

Edition 31 January, by Louis Gore Langton

Maastricht University has reportedly been forced to pay a significant sum to a criminal cyber group after being held ransom by hacking software. The university was targeted on 23-24 December and was forced to shut down its networks for over a week. The breach caused major disruption: campus internet, online study materials, class schedules and printing facilities were all unavailable to students. University staff could not use their laptops or computers and over 5000 students have since changed their passwords to safeguard against further attacks. An additional re-sit of exams and deadline extensions were arranged following the Christmas break.

Whilst officials have so far refused to release details of the ransom payment, it’s possible the amount will have run into hundreds of thousands of euros, likely paid in Bitcoins. Most companies targeted by such cyberattacks are forced to pay; the disruption caused can leave no alternative other than to face bankruptcy. The average cost incurred is around € 5 million, including collateral expenses like hiring security experts, according to a report by analysts Aon.

Russian ‘Evil Corp’ gang
The perpetrators of the attack are likely a Russian criminal group named ‘Evil Corp’, which last year developed the ransomware ‘Clop’ to hold large companies and institutions hostage. The group, which has been active since 2014, was previously behind the spread of notorious malware that targeted financial institutions and successfully extorted hundreds of millions from companies throughout the world. In December the United States brought charges against Russian national Maksim Yakubets, naming him as the gang’s leader. He alone is thought to have made over $ 100 million from his criminal activities.

The UK’s National Crime Agency has described Evil Corp as ‘the world’s most harmful criminal cyber group’. Yakubets, aged 32, has an opulent online persona, showing pictures of his fleet of sports cars, stacks of cash and a wedding that cost over a quarter of million euros. Efforts to bring him to justice have so far resulted in eight people being sentenced to a total of over 40 years in prison for laundering money. A $ 5 million bounty for his capture – the largest ever offered for a cybercriminal – has been promised by the US State Department.

Whether Evil Corp is directly behind the attack in Maastricht is still uncertain, though experts maintain it is by far the most likely culprit.

Latest victim of the ‘Clop’ malware
Maastricht University is not alone in falling victim to the ‘Clop’ malware. The University of Antwerp and a French hospital were both successfully targeted with the same ransomware last year. Universities and colleges keep each other informed on cybersecurity matters through an IT organization called Surf. The French government also issued a formal warning regarding the malware.

During the breach in Antwerp, officials said that the Blackboard learning environment, scientific documents and student data had remained protected. Only the institution’s mail and cafeteria payment systems were compromised. Since the attack in Maastricht, the Vrije Universiteit in Amsterdam has made a public statement saying that its security requires no additional backup and that IT staff are not on heightened alert. These revelations raise serious questions about the standard of online security at Maastricht University and how such a severe breach could be possible – particularly given the fact that warnings had evidently been issued.

The malware would likely have entered the University’s systems through phishing, in which a student or member of staff will have opened a disguised email. Whilst full details of the attack remain murky, it is unlikely that Maastricht’s scientific data will have been affected, due to higher levels of security. This is fortunate, since cybercriminal gangs are increasingly looking to monetize stolen intellectual property, according to a report by Positive Technologies.

Calls for greater transparency
Officials at Maastricht University are facing criticism for their handling of the crisis. Very few details of the attack have been confirmed and answers have remained cryptic. A spokesman confirmed that contact had been made with the criminals but refuted rumors that a ransom negotiation was underway and refused to add any further detail, according to the university newspaper Observant. An interview with the Dean of the University of Calgary in Canada, which was taken hostage by cybercriminals in 2016, showed that full details of the attack and the ransom payment were released within days. Public sector institutions should pride themselves on openness, Observant quotes him as saying.

Under mounting public pressure to offer full disclosure, Maastricht University has announced a hearing on 5 February in which it will “reveal all”, though it is still unclear what exactly this will mean. A parliamentary debate on the attack has been approved.