On 23 December last year, Maastricht University (UM) was hit by a major ransomware attack. The hackers executed a command installing ‘Clop’ ransomware on 267 servers of the Windows domain. As a result, almost all of UM’s operational processes were disrupted. Several online backup servers were encrypted as well. In part 2 of the interview with Bart van den Heuvel you will read more about the crisis management during this incident. Read Part 1 here.
Bart Van den Heuvel: ‘We immediately activated our crisis management plan and, in view of the impact, very quickly decided to call in external help. We got this from Fox-IT. They took on the forensic investigation and monitoring and assisted us with advice throughout the crisis. We were also assisted by SURFcert, the NCSC (National Cyber Security Centre), the police, etc. Internally, the full breadth of our organisation was involved: the IT services, the management, our finance department, Marketing & Communications and our legal team… In total, more than 150 people were involved in the crisis.’
Transparent communication
UM immediately shut down its network to prevent the situation from worsening. Furthermore, the university decided from the outset to communicate transparently and openly. ‘Everything that was communicated internally also reached the outside world. Unlike most organisations that fall victim to cyber attacks, we wanted to be open with our stakeholders from the beginning. In any case, in the Netherlands we are bound by the Act on public access to government information, which gives citizens the right to inspect the government’s actions. Transparency was therefore an obvious choice for us’, says Bart van den Heuvel.
Through regular updates on the UM website, end users were able to follow the status of the incident. There was also proactive communication to the press, although speculation and inaccurate reporting could not be completely avoided. ‘Contrary to what was claimed in some media, we did have backups that were still usable. Not all our data was encrypted either.’
Even so, the impact of the attack was huge. Quite a few critical systems were affected. ‘267 locked servers: this meant that a lot of people were involved. In addition, it took us several days to find the infected laptop. It also quickly became clear that if we had to restore our backups and rebuild the other systems, we would have months of work.’
A serious moral dilemma
In the meantime, UM contacted the attackers. As the mail servers had been affected, the communication took place via Bart van den Heuvel’s personal email address. ‘We communicated with them very regularly: on the one hand to gain time, on the other hand to make sure we were talking to the right party. For the latter reason, we also came up with both technical and financial control questions such as making a test payment.’
In the week between the attack and the decision to pay the ransom, UM carried out analyses and investigated various options. ‘In 3 days, we managed to set up a new mail server. Its database was not encrypted. The archive system, on the other hand, was not usable: you can do without an archive for a few days, but not for months. Our external partner Fox-IT had managed to unlock one small file, but it had taken them a whole night to do so. We knew that we would lose a lot of valuable time if we chose this option.’
Even so, the decision to pay the ransom constituted a serious moral dilemma for the UM Board. ‘The Board did not make the decision lightly and considered all interests thoroughly. After long deliberation they finally decided to pay the ransom in the interest of the continuity of education and research at our institution. The fact that the teaching and the exams in January were able to continue without too much hindrance and that there was little impact on scientific research has strengthened our idea that we made the right decision.’
Quick wins
Exactly one week after the incident, UM proceeded to pay the ransom and the university received the key to unlock the servers. ‘Obviously, we had a further in-depth investigation carried out afterwards. Fox-IT found no evidence of data exfiltration except for the passwords and our network topology. We have carried out an additional investigation ourselves – which is still going on – and have come to the same conclusion: no evidence has been found that our data has been deleted, modified or made public.’
In the report that was drawn up about the crisis, the Ministry of Education concluded that UM did not act negligently and handled the situation very satisfactorily. ‘This crisis has had a huge impact, but on the other hand it has also taught us a lot and enabled us to improve our security policy. In addition to our long-term actions, we were able to carry out several quick wins. For example, on 2 January we already decided that students had to set a new, strong password. That decision would undoubtedly have met with resistance in other circumstances but was now adopted without a murmur.’
Knowledge sharing
Even after the crisis, UM continued to communicate in a very transparent way. ‘We absolutely wanted to share our lessons learned with other institutions. On 5 February this year, barely a month after the crisis, we already organised a symposium to share our experiences.’
‘Above all, we want to emphasise that this is about more than UM. Last year we were the victims, today is the turn of a different institution and tomorrow a different one again. It is important that we take cyber security to a higher level, as it is one of the greatest challenges in our society,’ Bart van den Heuvel concludes.
Summary of tips – How can you prepare your institution?
- Draw up a crisis management plan in which the necessary protocols for an IT security incident are already included. Determine in advance who will be part of the crisis team and what the roles and responsibilities of these persons will be. This saves you a lot of time and chaos when you are faced with a crisis. You can also learn a lot from regularly organising or participating in crisis exercises.
- Communicate as transparently as possible and inform partner organisations. Many organisations that are confronted with a cyber incident try to keep this in house as much as possible. By warning and informing others from the outset, you can prevent fellow institutions from being affected by a similar incident.
- Backups: Make sure you have online and offline backups of your systems and data. But also keep in mind that restoring backups takes a lot of time.
- When developing new systems, consider the principles of ‘security by design and by default’.
Further (technical) information
- Management summary of the Fox-IT report and UM’s response to the report (in English)
- Presentation ransomware attack 2019 (in English)
Read also Part 1 of this interview here: https://connect.geant.org/2020/10/20/case-study-what-maastricht-university-um-learned-from-the-ransomware-attack-part-1