The Maastricht University of Netherlands, a European public university, announced Wednesday it had paid hackers a ransom of 30 bitcoin (which translates to $220,000) following a ransomware attack that unfolded on December 24.
In a press conference, Nick Bos, Vice Chairman of the university board, told reporters that the university opted to pay the required ransom in order to gain access to its IT systems.
"It is a decision that was not taken lightly by the Executive Board. But it was also a decision that had to be made," the university explained. "We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff.
"The fact that on 6 January and thereafter we were able to have teaching and exams take place, more or less as planned, that UM researchers suffered little or no irreparable damage, and that we were also able to make the salary payments for 4,500 employees on time, strengthens our confidence that we made the right choice."
As it turns out, the university’s networks were first breached in October after two phishing emails were opened on two different workstations. This was then followed in November when attackers compromised a server that did not have the latest security updates. As a result, hackers were able to obtain full admin rights to the university’s network infrastructure.
It is not until December 23 that the university became aware of the attack after computers flashed up the criminals’ ransom demands. In response to the incident, a university spokesperson said that the institution has decided to shut down all of its IT systems to contain the damage and has reached out to the police on Dec 26.
At the course of the investigation, cybersecurity experts from Fox-IT were able to identify the cybercriminal group TA505 as the team behind the attack. According to their report, traces were found indicating that the attackers collected data regarding the topology of the network, the usernames, and passwords of different accounts, as well as other network architecture information.
To date, a university spokesperson told The Daily Swig that “everything is pretty much back to normal” However, UM promises to continue investigating the incident, especially after forensic research "indicates how cybercriminals have taken some of UM's data hostage.”