KnowBe4 Security Awareness Training Blog

Major Dutch University Still Fighting Ransomware Downtime; Expert Says Russian Hacker Group Responsible

Written by Stu Sjouwerman | Dec 30, 2019 3:53:39 PM

Major Dutch Maastricht University was still trying to recover from a crippling cyber attack nearly a week after the university's computer systems were infected by ransomware. New York-based cyber expert Vitali Kremez said that Russian organized cybercrime outfit TA505 is responsible, they distribute Clop, a ransomware strain first discovered in February 2019.

The University which has 19,000 students and 4,500 faculty warned: "It is of the utmost importance at this moment that students and staff do not perform any actions on University  computers or systems. This applies to both inside and outside the university. This is to avoid any risk for research and repair work and for data retention."

The university was particularly concerned about whether or not researchers would be able to meet deadlines for grant and subsidy applications. In a statement, the university said it would try to lobby on behalf of researchers to obtain deadline extensions wherever possible, but that the winter break might make its appeals less likely to be heard. 

Also on Monday, the university expanded the capacity of a helpdesk to assist in answering questions from students regarding the attack. It also said that the applications for all study programs, including those submitted before the attack, were safe.

The university said it still planned to resume classes on January 6, with its buildings set to reopen four days earlier.

Security firm Fox-IT was working with the university on the forensic investigation and recovery of UM systems hit in the ransomware attack, where hackers encrypt files with a password only they know. Once a ransom is paid, the password is revealed to decrypt the affected files.

"TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware," said global cybersecurity business Trend Micro.

Kremez also noted the hacker group's focus on public institutions, because data recovery is urgently necessary for them "The chance that they will pay ransom is therefore greater," he told De Limburger.

"Almost all Windows systems have been affected and it is particularly difficult to use e-mail services,"  the university said on Christmas Eve. "Extra security measures have been taken to protect (scientific) data. UM is investigating if the cyber attackers have had access to this data." 

The CLOP strain also infected a French hospital and the University of Antwerp in Belgium. The Clop code gets installed on all systems manually, after network access is obtained through phishing attacks.