Maastricht University wound up earning money from its ransom payment

Maastricht University (UM), a Dutch university with more than 22,000 students, said last week that it had recovered the ransom paid after a ransomware attack that hit its network in December 2019.

After a thorough investigation of the incident, the attack was linked by cybersecurity company Fox-IT with a financially motivated hacker group tracked as TA505 (or SectorJ04), known for primarily targeting retail and financial organizations since at least Q3 2014.

The hackers infiltrated the university's systems via phishing e-mails in mid-October and deployed Clop ransomware payloads on 267 Windows systems on December 23, after moving laterally through the network.

One week later, on December 30, the university decided to pay the ransom to have its files decrypted after deciding that rebuilding all infected systems from scratch or creating a decryptor were not viable options.

UM said at the time that it paid a 30 bitcoin ransom (roughly €200,000 at the time) for the ransomware decryptor, which allowed the university to avoid delaying exams and losing all the research, educational, and staff data, as well as info on salary payments for approximately 4,500 employees.

"It is a decision that was not taken lightly by the Executive Board. But it was also a decision that had to be made," UM explained. 

"We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff.

Ransom bitcoins' value has doubled since 2019

However, as UM recently revealed, in a "remarkable development," the Netherlands Public Prosecution Service traced and seized a wallet containing the cryptocurrency paid by the university as ransom in 2019.

"The investigation [..] eventually paved the way for the seizure of the cryptocurrency by the Dutch Public Prosecution Service. As early as February 2020, the investigation team froze a so-called wallet containing part of the paid ransom," UM said.

"The value of the cryptocurrencies found at that time was €40,000; at the current exchange rate, they are worth approximately €500,000."

Although this might seem like the university made a considerable profit within a relatively short time, the €500,000 seized by law enforcement agents represents significantly less than the damage inflicted during the ransomware attack.

These seized funds are now in a bank account under the control of the Netherlands' Public Prosecution Service, and the Ministry of Justice has already initiated legal proceedings to transfer them to UM.

After recovering the money, UM Executive Board said it wants to create a fund that would allow the university to help students in need.

"The cyber attack showed how vulnerable students can be in their study progress, but certainly also financially," explains Vice-President Bos. 

"The crises we have experienced since then have only further underlined this vulnerability. In light of this, the Executive Board considers the use of these funds to help students in need very appropriate."