MAASTRICHT. Maastricht University, which was hit by a cyberattack just before Christmas, paid the ‘ransom’ to the hackers. In doing so, the key was obtained to make systems accessible again. This was reported by well-informed sources at the UM. No official statements are being given.
It is still unclear how long it will be before all systems are working again. Interim spokesman Fons Elbersen: “For example, we won’t say that the e-mail is working properly again until it is fully operational.” The UM spokesman does not want to either confirm or deny the stories about any payment of ransom; the university will not make any announcements as long as the investigation into the hack and its consequences is still ongoing, also because it does not want to endanger the ‘digital security’.
Experts, for example on tech sites such as Tweakers and Security.nl, claim that ransomware hacks like these, in which entire computer systems are locked down and only released when the ransom has been paid, usually end in payment. If only for the fact that it is cheaper in the end than having to work for weeks or even months to repair things, rendering the institute powerless for a long period. This can run into hundreds of thousands if not millions. This was a risk for the UM too. It is not the first university to surrender to the demands of digital blackmailers. Calgary University in Canada announced in 2016 of their own accord that they had paid after having been hacked. It was a relatively small amount, 20 thousand dollars. According to reports, the UM may have paid a few hundred thousand euro. Most likely in bitcoins, the currency that cyber criminals prefer to work with.
Coincidence or not, a similar amount of two hundred thousand was what Frank Groenewegen, Chief Security Expert at cyber security company Fox-IT (which is also involved in the UM’s rescue operation), mentioned on Radio 1 shortly after the attack on the UM. The discussion was about insurance for this type of damage (the UM was not insured, by the way), which Groenewegen objects to because it would maintain the criminals’ business model. Moreover, the question is what should be insured, he said at the time: the payment of a ransom of two hundred thousand, for example, but not the expenses made, for repairs and the enforced inactivity which could run to six hundred thousand or more? Groenewegen was unavailable for further comment this morning (2 January).
The procedure followed by the criminals and the UM appears to have been a textbook example. IT experts describe the practice as follows: the networks of the institute affected are locked down, the hackers make their demands known. Upon payment of a small amount, they will return a couple of ‘repaired’ files, after which payment of the rest of the amount follows and the key is handed over.
An important question is of course whether the blackmailers have access to files that they can use again at a later stage to blackmail the UM or its researchers. Nothing on this matter has been disclosed.
The origin of the hack is still vague too. In media such as De Limburger and later also the NOS, IT experts claimed that it came from Russia. Other experts say that this kind of report is pure speculation: tracing such hackers is like looking for a needle in a haystack. By the way, the Calgary hackers were found two years after the incident: they turned out to be Iranian.
In the near future, after the investigation into the hack has been completed, the UM will share “everything that has been found out” with sister institutes and other interested parties such as detection agencies and cyber security companies, spokesman Elbersen reported.
With the co-operation of Wendy Degens and Riki Janssen