The Ransomware Attack’s Discovery
Maastricht University (UM) became the latest victim of a ransomware attack on the 23rd of December. UM is a Dutch university that has been ranked in the top 500 universities worldwide for the last 2 years. It has over 18,000 students, 4,400 employees and 70,000 alumni. On the 24th of December, UM announced: “Maastricht University has been hit by a serious cyberattack. Almost all Windows systems have been affected and it is particularly difficult to use e-mail services. UM is currently working on a solution.” When the announcement was first made, it was not certain which ransomware had been used in the attack. However, later in the day, Fons Elbersen, a university spokesperson confirmed that it had been hit by Clop ransomware. On the 27th of December UM took down all its systems as a precautionary measure. Currently all systems are still offline.
What is Clop Ransomware?
Clop was first discovered in February 2019 and it is still evolving and becoming more harmful. The difference between Clop and other ransomware is that Clop attacks computer networks not just individual computers. Once Clop gains access to a network, it encrypts files it accesses and adds a .clop extension to the filenames. To be able to affect files used by the Windows system, Clop first closes Windows processes, including Windows Defender. Among other applications, Clop can also close Steam and Microsoft Office programs as well as various browsers. Moreover, Clop contains batch files that prevent data recovery via shadow copies or backups held on affected file systems. Clop either deletes or encryptes such backups and reformats connected backup disks. Once the attack is complete, Clop places a readme file on the network containing a ransom demand message and contact details for payment instructions. Attackers will then supposedly decrypted affected files once they have received payment.
Data Theft
It’s currently still not certain whether the university’s scientific research data was stolen before its systems were encrypted with Clop. However, the university has stated that the scientific research databases are held on a separate, extra secure system. The university is currently investigating whether the attackers also managed to get access to this system, but this is not expected to be likely.
When is UM Likely to Come Back Online?
Maastricht University are still working on a solution to this cyberattack. As part of its investigations, UM has been in talks with the University of Antwerp in Belgium. As this university was also hit by Clop in October 2019, UM hopes it can provide insight into possible solutions. In the hope of minimizing the attack’s impact on students and staff, UM has a large team of ICT staff working around the clock on finding a solution. Cyber security company Fox-IT are also providing their expertise to help UM ICT staff. UM is aiming to have most of its systems back online by the 6th of January, i.e. by the end of the Christmas break. However, Elbersen said: “Given the size and extent of the attack, it is not yet possible to indicate when that can be done exactly.”
In Talks with Attackers
Elbersen has also confirmed that the university is in talks with the attackers. However, he would not state what the ransom amount is nor whether the UM are considering paying it. Finally, the university has stated that it has reported the attack to the appropriate law enforcement agency in the Netherlands, as is required by Dutch regulations after major cyberattacks.
Protecting Data from Clop
There is currently no decryptor available for victims of Clop ransomware. The best way to protect data from Clop is to have backup copies of everything on unconnected external backup drives. Furthermore, installing an updated and effective security program can prevent a Clop ransomware attack. Ransomware is on the rise and educational institutions as well governments and health care organizations appear to be main targets.