What Maastricht University learned from the ransomware attack (part 1)

Frenzied

The ransomware attack on 23 December happened at lightning speed. In barely 30 minutes, the hackers managed to lock down the data of 267 servers at the university, including many critical systems. Email servers and numerous file servers - containing research data but also business operations data - were affected, for instance. The hackers also managed to encrypt a number of backup servers.

Malware via phishing email

On 15 October, the attackers sent a phishing email to several people within UM. One of the employees clicked on the link in the mail. That led the user to an Excel document containing a macro. That macro then retrieved malware from a remote server and installed it on the user's workstation.

Bart van den Heuvel: "The malware itself was recognised by our virus scanners but because the attackers had made small changes, it still passed through our virus scanners. A second phishing email with a link to a similar document was clicked by another user a day later. From then on, the attackers had initial access to the UM network."

Remaining constantly alert

The important lesson from this was that really anyone can be fooled by a phishing e-mail. "The user in question even reported the mail to the university's service desk. It turned out to be someone who was very 'internet savvy', but in these circumstances still clicked on a fraudulent link. I am convinced that it is impossible to 100% prevent someone from clicking on a malicious link, but awareness remains crucial," said Bart van den Heuvel.

Cashing in

Even after the ransomware attack, UM was not spared phishing. "For example, a phishing email circulated at UM explicitly referring to the ransomware attack at our institution and asking users to change their passwords as a precautionary measure in response to the incident at UM. Variants of this, also referring to UM, also circulated at other institutions. So other cybercriminals were also trying to get a piece of the pie. This meant that we constantly had to stay very alert and communicate very specifically to our users".

Awareness campaign

Before the summer, UM launched an awareness campaign with do's and don'ts. This is broader than phishing alone and also focuses on basic cyber hygiene, such as locking your screen as soon as you don't use your laptop for a while. It was repeated for students at the start of the new academic year in September. "To deliver the message in an attractive and playful way, we engaged a cartoonist. In the autumn of 2020 autumn, we are still conducting awarenes training sessions specifically tailored to both our IT staff and management. There are also plans, in close cooperation with our lawyers and the communications department, to send phishing emails ourselves to train our users in this way," he explains.

5 times more reports on phishing

The ransomware attack itself has already paid off in terms of awareness. For instance, UM's service desk already received 5 times more reports from users about phishing this year compared to last year, although there are no indications that the number of phishing emails has increased that much.

Lessons learned

In the period between 15 October and the ransomware attack on 23 December, hackers gradually made their way into UM's network. Bart van den Heuvel: "Their goal was to map out our network as much as possible and stay under the radar in the meantime. By abusing insecure backdoors, the hackers were able to get further and further into our network. For example, they managed to use an administrator's encrypted password, which was in the memory of one server, to gain access to a subsequent server."

Network segmentation

UM drew important lessons from the analysis of this "lateral phase" and has already implemented several measures to intervene more quickly in the future. "Our objective is clear: if attackers do get in, we have to make sure they cannot penetrate further into the network. We will do this by segmenting our network even better, with each server behind its own firewall. Furthermore, we will also separate our admin accounts better, so that an administrator does not automatically have access to everything."

Better monitoring

The university is also betting on improved and refined monitoring of the network 24/7. "We were already setting up a Security Operations Centre (SOC) last year. Two staff were supposed to start in January 2020, but due to the incident, they started the last week of December. The crisis allowed us to recruit a third FTE. That person, too, has since been hired."

Infrastructure detailed mapping

"Furthermore, we are going to improve our configuration management database (CMDB) so that we have a better overview of which systems are all in our network. We also want to map in great detail which processes are running on our servers and how those servers are connected to our more than 3,000 external resources. This is quite a challenge: our central IT department alone manages 3,000 workstations. On top of that, many systems are decentralised, and we currently do not have sufficient insight into that," Bart van den Heuvel clarifies.

In the second part of the case study, you will find out how crisis management was handled and what considerations UM made before proceeding to pay the ransom. We also give some tips on how to protect your organisation.

Part 2 of the interview talks about crisis management during the incident and what considerations UM made before proceeding to pay the ransom. It also includes some tips to protect your organisation.