Interviews Security

Case study: What Maastricht University (UM) learned from the ransomware attack (part 1)

The GL17 building of UM, where the ICT Service Center is located. This building was the setting for the meetings of the Crisis Management Team during the entire Christmas week and the 1st week of January 2020.

On 23 December last year, Maastricht University (UM), which is connected to the Dutch education and research network SURFnet, was hit by a major ransomware attack. After thorough investigation and serious consideration, the institution decided to pay the requested ransom. GÉANT spoke with Bart van den Heuvel, Chief Information Security Officer (CISO) at UM. ‘A cyber attack is going to happen to you anyway. It is a matter of preparing yourself as well as possible and limiting the impact.’

The ransomware attack on 23 December took place very quickly. In just 30 minutes, the hackers managed to lock the data on 267 servers of the university, including quite a few critical systems. The email servers and numerous file servers (with research data but also business operations data) were affected. The hackers also managed to encrypt several backup servers.

In this article we will explain how the attack occurred and what lessons UM has learned from the crisis. Through knowledge sharing and information exchange, the university aims to help other educational and research institutions in the GÉANT community to better arm themselves against cyber attacks. In this first part of the case study we will discuss the phase preceding the actual attack.

Malware via a phishing email

On 15 October, the attackers sent a phishing email to several people within UM. One of the employees clicked on the link in the mail. This led the user to an Excel document containing a macro. The macro then retrieved malware from a remote server and installed it on the user’s workstation.

Bart van den Heuvel: ‘The malware itself was known by our virus scanners, but because the attackers had made small changes, it got through our virus scanners anyway. A second phishing email with a link to a similar document was clicked a day later by another user. From that moment on, the attackers had initial access to the UM network.’

Always stay alert

Bart van den Heuvel, CISO at UM

The important lesson was that anyone can be fooled by a phishing email. ‘The user in question even reported the mail to the university’s Service Desk afterwards. They turned out to be someone who was very ‘internet savvy’, but in these circumstances clicked on a fraudulent link anyway. I am convinced that it is impossible to completely prevent someone from clicking on a harmful link, but awareness remains crucial’, says Bart van den Heuvel.

Even after the ransomware attack, UM was not spared from phishing. ‘For example, a phishing email circulated at UM which explicitly referred to the ransomware attack in our institution and asked users to change their password as a precautionary measure in response to the incident at UM. Variations on this, also with reference to UM, also circulated at other institutions. In other words: other cyber criminals also tried to grab their share. This means that we have to remain very alert at all times and communicate very specifically to our users.’

Tailoring awareness campaigns to target groups

Before the summer UM launched an awareness campaign with dos and don’ts. This went beyond phishing and focused on basic cyber hygiene, like locking your screen when you are not using your laptop for a while. This will be repeated for students at the start of the new academic year in the beginning of September. ‘In order to bring the message in an attractive and playful way, we called in a cartoonist. In the autumn, we will also be giving awareness training courses specifically tailored to our IT staff and our management. We also plan to send phishing emails ourselves, in close cooperation with our lawyers and communication service, to train our users’, Bart van den Heuvel explains.

The ransomware attack itself has already borne fruit in terms of awareness. For example, UM’s Service Desk has received 5 times more reports from users about phishing this year than last year, although there are no indications that the number of phishing emails has risen so sharply.

Better segmentation

In the period between 15 October and the ransomware attack on 23 December, the hackers gradually worked their way into UM’s network. Bart van den Heuvel: ‘Their goal was to map out our network as well as possible and stay under the radar in the meantime. By abusing unsafe backdoors, the hackers were able to get further and further into our network. For example, they managed to use an encrypted password of an administrator, which was in the memory of a certain server, to gain access to the next server’.

UM drew important lessons from the analysis of this ‘lateral phase’ and has already implemented various measures in order to be able to intervene more quickly in the future. ‘Our objective is clear: if attackers do get in, we must ensure that they cannot penetrate further into the network. We do this by segmenting our network even better, with each server behind its own firewall. We will also better separate our administrator accounts, so that an administrator does not have automatic access to everything.’

Better monitoring

The university is also committed to improved and refined monitoring of the network, 24/7. ‘Last year, we were already setting up a Security Operations Centre (SOC). Two employees were supposed to start in January 2020, but due to the incident they already started in the last week of December. The crisis made it possible for us to recruit a third Full Time Employee (FTE). That person has been hired in the meantime.’

Detailed mapping of infrastructure

‘We are going to improve our configuration management database (CMDB), so that we have a better overview of the systems that are part of our network. We also want to map in detail which processes are running on our servers and how those servers are connected to our more than 3,000 internal and external sources. This is quite a challenge: our central IT service alone manages 3,000 workstations. In addition, many systems are set up in a decentralised manner, and we do not have a good overview of these right now,’ Bart van den Heuvel explains.


Tips – How can you prepare your institution?

  • Awareness remains a crucial factor
    • Make your users aware of the risks of (spear) phishing and teach them how to recognise fake messages.
    • Tailor your information to your specific target group (students, employees, IT staff, management…).
    • Some target groups are especially vulnerable. Take this into account in your awareness plan
    • Encourage people to report incidents
  • Map your network and the way in which systems and data are connected in detail. Create a list of contacts and backup contacts, indicating who manages what.
  • Prevent vulnerabilities from being exploited by performing timely updates and installing patches.
  • A SOC (Security Operations Centre) helps you to monitor cyber threats and detect abnormal behaviour faster.

READ PART 2

In the second part of the case study you will learn how the crisis management was handled and what considerations UM made before proceeding with the payment of the ransom. We will also give a few tips to protect your organisation.