University of Maastricht Pays Roughly $240,000 in Bitcoin Following Targeted Ransomware Attack
The University of Maastricht, The Netherlands (UM), has paid a ransom of 30 Bitcoins (about $240,000 at the time, $294,000 today) for a decryption key to the CLOP ransomware. UM has been open and forthcoming on the details of the attack, providing detailed insight into a classic targeted ransomware attack.
The encryption process started on December 23, 2019. By December 29, 2019, UM had concluded that its only realistic way forward was to pay the ransom and buy the decryption key. Rebuilding the infrastructure would take months — even if it were possible — while research material would be irretrievable. In the meantime, its students would not be able to work effectively and may not be able to take their exams.
The intrusion started on October 15th. A series of phishing emails was delivered, and two were successful on different workstations on Octoer 15th and 16th. The attacker was resident on UM’s network for more than two months before the encryption commenced, and were able to study the topology and deliver the maximum damage.
The attacker was the group known as TA505. “The modus operandi of the group behind this specific attack,” said Fox-IT in a forensic report commissioned by UM, “comes over with a criminal group that already has a long history, and goes back to at least 2014. The group is often referred to publicly as ‘TA505’, as well as ‘GraceRAT’, named after one of the tools used by the group.”
Some subsequent media reports have linked TA505 with Evil Corps, the group behind Dridex — but this is questionable. The source appears to be a Microsoft tweet from 30 January 2020: “Dudear (aka TA505/SectorJ04/Evil Corp), used in some of the biggest malware campaigns today, is back in operations this month after a short hiatus. While we saw some changes in tactics, the revived Dudear still attempts to deploy the info-stealing Trojan GraceWire.”
Responding to this, however, Bryan Campbell, senior threat analyst with Proofpoint, commented simply, “TA505 does not equal Evil Corp.” Certainly, Fox-IT mentions neither SectorJ04 nor Evil Corp in its forensic report. Evil Corp is usually associated with the group behind Dridex. Fox-IT believes that TA505 is a separate group, but that the group has “cooperated with the ‘Dridex’ group.”
Both successful phishing emails were written in English, with links leading to an Excel document. These documents contained a macro that downloaded the SDBBot remote access trojan from IP addresses 185.225.17(.)99 and 185.212.128(.)146 respectively.
Following the successful phishing, TA505 accessed several UM servers. One of these had not been fully patched, and the group was able to gain full rights across the infrastructure. The group surveilled the topology and was able to collect multiple account usernames and passwords. On 23 December 2019 it successfully deployed the CLOP ransomware on 267 of UM’s servers. Fox-IT found no indication that any personal or research data had been stolen, but has not been able to definitively exclude the possibility. Nevertheless, UM has now commissioned Fox-IT to conduct a separate investigation to confirm this.
The forensic firm made four primary recommendations based on its analysis of the attack: improve vulnerability and patch management, increase segmentation within the network, implement or improve network and log monitoring, and practice different crisis response scenarios.
For its part, UM has accepted the recommendations, but explains the difficulties faced by all higher education establishments: finding the right balance, it said in its own report (PDF), “between optimal digital security and providing an open and transparent environment for students and researchers.” Its conclusion is that some openness must be sacrificed to improved security in the modern cyber world.
It intends to improve security awareness training and tools for better phish detection and handling. It will improve its patch regime, but explains the problem: “UM receives approximately 100,000 updates per year, all of which have to be processed on 1,647 servers and 7,307 workstations.” It will reconsider its current segmentation, and improve its control of administrator accounts. It does already use segmentation, but acknowledges that its V-LANs “are relatively open to each other to guarantee the openness of the network and also to facilitate decentralized management and use of UM infrastructures.”
UM also intends to establish a 24/7 SIEM and SOC. This had already been planned for January 2020, but too late to affect the TA505 attack. It hopes to do this in conjunction with other universities, and hopes to emulate what is happening in Canada and is already operational in the U.S. — effectively a joint SOC between different universities for improved cooperation and collective action.
Two areas that go beyond the Fox-IT primary recommendations include the development of a configuration management database and improving its backup regime. The university acknowledges that lack of understanding of its own infrastructure hampered its response. “There were insufficient insights into the number of active and inactive computer and server systems in the UM domain.”
It also acknowledges that failure to have an offsite backup was an error. Its existing backups were primarily aimed at ensuring instant continuity, and were consequently online. “The cyber attacker was able to encrypt these online backups from a few critical systems,” it reports. “This must be prevented in the future.” Since the attack, it has now made “offline and online backups for every critical system.”
One area not mentioned by any of the parties is ‘cyber insurance‘. Since the basic education budget was established before the advent of ransomware, it may be considered currently too expensive. Nevertheless, it is something that should be considered in such a high-risk sector as higher education. There is little doubt that ransomware attacks against universities will continue, while cyber insurance already has a good track record in funding victims’ ransom payments.
Related: The Case for Cyber Insurance