Mannen achter laptop en groot scherm
Case study

What Maastricht University learned from the ransomware attack (part 2)

On 23 December 2019, a serious ransomware attack took place at Maastricht University. Clop malware was installed on 267 servers of the Windows domain. As a result, UM's full operational functioning was disrupted. In part 2 of the interview with Bart van den Heuvel, you will read more about the crisis management during this incident.

More than 150 people involved in crisis

Bart van den Heuvel: "We immediately activated our crisis management plan and, given the impact, also decided very quickly to call in external help. We got that from Fox-IT. They took charge of the forensic investigation and monitoring and assisted us with advice throughout the crisis. We were also helped by SURFcert, the NCSC (National Cyber Security Centre), the police, et cetera. Internally, the full breadth of our organisation was involved: IT services, management, our finance department and legal team. A total of 150 people were then involved in the crisis."

"It is important that we take cyber security to the next level because it is one of the biggest challenges of our society."
Bart van den Heuvel, CISO at Maastricht University

Transparent communication

UM immediately shut down its network to prevent worse. Furthermore, the university decided from the start to communicate transparently and openly. "Everything that was communicated internally also went to the outside world. Unlike most organisations that fall victim to a cyberattack, we wanted to be open with our stakeholders from the start. In any case, in the Netherlands we are bound by the Government Openness Act (Wob), which gives citizens the right to inspect the actions of the government. Transparency was therefore an obvious choice for us," says Bart van den Heuvel.

Regular updates on website

Regular updates on the UM website allowed students, among others, to follow the status of the incident. There was also proactive communication to the press, although speculation and misreporting could not be completely avoided. "Contrary to what was claimed in some media, we did have backups that were still usable. It was also not the case that all our data was encrypted."

Impact very high

Nevertheless, the impact of the attack was very big. A lot of critical systems were affected. "267 locked servers: that meant a lot of people were involved. Moreover, it took several days before we found the infected laptop. It also quickly became clear that if we had to restore our backups and rebuild the remaining systems, we would have months of work."

Tough moral trade-off: ransom paid

Meanwhile, UM contacted the attackers. Because the mail servers had been affected, that communication was through Bart van den Heuvel's personal e-mail address. "We communicated with them very regularly: partly to save time, but also to make sure we were talking to the right party. For the latter reason, we also devised both technical and financial control questions such as making a test payment."

Proprietary analyses to decrypt ransomware

In the week between the attack and the decision to pay the ransom, UM conducted analyses and explored various options. "After 3 days, we managed to set up a new mail server. Its database was not encrypted. The archive system, on the other hand, was not usable: you can do without an archive for a few days, but not for months. Our external partner Fox-IT had managed to unlock one small file, but had taken one night to do so. We knew we would lose a huge amount of valuable time if we followed this option."

Not overnight

Still, the decision to pay the ransom constituted a tough moral consideration for the UM administration. "We did not proceed overnight and thoroughly weighed all interests. After long deliberation, we finally took the decision to pay the ransom anyway in the interest of the continuity of teaching and research at our institution. The fact that teaching and examinations could continue in January without too much disruption and there was little impact on academic research has strengthened our belief that we made the right decision."

After unlocking files, in-depth investigation done

Exactly one week after the incident, UM proceeded with payment and the university received the key to unlock the servers. "Naturally, we had further in-depth investigations carried out afterwards. Fox-IT found no evidence of data exfiltration other than the passwords and our network topology. We conducted our own investigation afterwards - which, incidentally, is still ongoing - and came to the same conclusion: no evidence was found that our data had been deleted, modified or disclosed."

Acted very appropriately

In the report prepared on the crisis, the Ministry of Education, Culture and Science concluded that UM had not been negligent and had acted very adequately. "This crisis had a huge impact but, on the other hand, it also taught us a lot and enabled us to improve our security policies. In addition to our long-term actions, we were able to implement a number of quick wins. For example, as early as 2 January, we decided that students should set a new, strong password. That decision would undoubtedly have met resistance in other circumstances, but was now adopted without grumbling."

Knowledge sharing

Even after the crisis, UM continued to communicate very transparently. "We definitely wanted to share our lessons learned with other institutions. On 5 February 2020, barely a month after the crisis, we organised a symposium to share our experiences."

Taking cyber security to the next level

"We especially want to emphasise that it goes beyond UM. At the beginning of this year, we were the victims, today it's another institution and tomorrow another one. "It is important that we take cyber security to the next level, because it is one of the biggest challenges of our society," concludes Bart van den Heuvel.

Tips

  • Create a crisis management plan that includes the protocols for an IT security incident. Determine in advance who is on the crisis team and what their roles and responsibilities are. This will save you a lot of time and chaos when faced with a crisis. You can also learn a lot from regularly organising or participating in crisis drills.
  • Communicate as transparently as possible and inform partner organisations. Many organisations facing a cyber incident try to keep it 'in-house' as much as possible. By warning and informing others from the start, you can prevent fellow institutions from being affected by the same incident.
  • Make sure you have online and offline backups of your systems and data. But also keep in mind that restoring backups takes a lot of time.
  • When developing new systems, take into account the principles of "security by design and by default".