Netherlands - Maastricht University, hit by a cyber attack just before Christmas, announced yesterday that it had paid 197,000 euros in ransom to the hackers. Although it can present an organization with a huge dilemma, police still advise against paying in such ransomware cases. "Otherwise, we keep the criminals' business model alive.
A major ransomware attack shut down all email traffic and Windows systems at Maastricht University (UM) on Dec. 24, 2019. "The hostage software made both staff and students unable to access their academic data," said team leader Metten Bergmeijer of the Limburg cybercrime team.
'It has every appearance that the attack was carefully planned over the Christmas period,' Bergmeijer said. 'Partly because of that it was discovered late and was able to grow so large. The university only reported it to us after two days - in the afternoon of Boxing Day. We have very short lines of communication with the Team High Tech Crime (THTC) of the National Unit and were able to call on their expertise. They supported us immediately with recording the report and securing a number of traces.
The Limburg cybercrime team is still working on the case, according to Bergmeijer. 'We have detection indications in a number of areas. There was clearly a lot of time and preparation behind it,' he says. 'With these types of more complicated ransomware cases, you see that perpetrators first infect a system and then quietly start watching the network. This is how they determine where they can best make their move. Criminals sometimes enter the network undetected for months to do this. That extensive research makes the attack as devastating as possible. We are still figuring out if that is the case here. For that, we are following a number of tracks; to the malware itself, but also others.'
'We as the police have made it known from the outset that we take the position of not paying,' Bergmeijer said. 'But again, in light of the dilemmas, we respect and understand the university's choice.'
THTC team leader Marijn Schuurbiers also advises victims against paying the hackers. 'Of course we understand that this can be a huge dilemma, when - as in Maastricht - everything is at a standstill or when you suffer a huge loss as a company. On the other hand, such a payment keeps the earning model of these cybercriminals alive. We see in concrete investigations that the money paid is partly used to set up new attacks again. In addition, paying does not guarantee that the problems will be solved. Collective and structural non-payment can be an important solution to make this earning model less attractive in the Netherlands.'
Schuurbiers explains that the fight against ransomware goes beyond simply hunting down the perpetrators. For example, Team High Tech Crime founded the now globally known website NoMoreRansom.org where international police and cybersecurity organizations continuously publish solutions to free systems instead of paying for them.
In addition, reports are very important, Schuurbiers emphasizes. 'In doing so, we work very closely with the cybercrime teams in the regional units,' he says. 'Together with them we bring all that data together and hold it against international cases, among other things.' According to Schuurbiers, the perpetrators are mostly abroad. 'But we have also previously arrested two brothers in Amersfoort who were involved in this and more recently a boy from Utrecht who made and sold malware that can serve as a basis for this kind of attack.'
