The University of Maastricht Paid $294k to Ransomware Actors

• The Maastricht University was strangling to get its systems back online following a ransomware attack.
• The educational institute’s officials decided that it would be better to pay the actors and learn their lesson.
• There have been numerous similar incidents on other colleges and universities lately, which indicates a trend.

The Maastricht University has announced that they were coerced to pay 30 Bitcoin to ransomware actors who had locked the institution's computer systems. This is the equivalent of approximately $294300, so this incident was a pretty big blow for the historic Dutch educational institute. The initial infection happened on December 24, 2019, and the damage was so extensive that employees couldn’t access their emails, workstations were no longer accessible, everyone got locked out of the VPN network, no scans, copies, or prints could be produced, and everything in the university entered an anachronistic “manual mode”.

The Maastricht University started its investigation and first repair efforts a few days later, filing a report with the police and taking all systems offline to prevent another attack. The education programs only resumed on January 6, 2020, with some critical systems returning online. Access to emails was restored the next day, but not all systems were online yet. Printing, scanning, copying, and VPN access remained an unresolved problem until the payment of the ransom, and the university couldn’t delay it any further. On January 27, 2020, access to VPN for employees was restored, but students were still unable to login. As for the UM workstations, they too came online and ready to print on the same day but required a new login.

On February 5, 2020, the university held a symposium to discuss the “lessons learned”, while the recovery is still ongoing. What is interesting is that the Dundee and Angus College in Scotland announced a ransomware attack too, which took place on January 31, 2020, and which blew their payment processing systems. Just a week before that, the Regis University in Denver, Colorado, decided to finally pay the ransomware actors who were holding their systems captive since last summer. Finally, at the start of this week, the ITI Technical College in Baton Rouge also announced that they have been targeted by ransomware actors and that they’re not planning to pay them a dime.

So, it’s been a “school’s out” for many universities and it’s not just a random occurrence. Colleges and universities are indeed ripe fruit for ransomware actors due to a combination of reasons. First, they can’t afford to have their systems down for long, as their core operation relies on their networks. Second, their security is usually not very bolstered. Third, they usually offer an abundance of attack surface due to their open nature. That said, and as long as universities aren’t taking cybersecurity very seriously, we will continue to see cases like these.