Maastricht Univ. still fighting ransomware damage; Expert says Russian hacker group responsible

Maastricht University was still trying to recover from a crippling cyberattack nearly a week after the university's computer systems were felled in a ransomware scheme. One expert told De Limburger that Russian organized cybercrime outfit TA505 is responsible for the attack.

"It is of the utmost importance at this moment that students and staff do not perform any actions on UM computers or systems. This applies to both inside and outside the university," the university said in its update on Monday. "This is to avoid any risk for research and repair work and for data retention."

The university was particularly concerned about whether or not researchers would be able to meet deadlines for grant and subsidy applications. In a statement, the university said it would try to lobby on behalf of researchers to obtain deadline extensions wherever possible, but that the winter break might make its appeals less likely to be heard.

Also on Monday, the university expanded the capacity of a helpdesk to assist in answering questions from students regarding the attack. It also said that the applications for all study programs, including those submitted before the attack, were safe.

The university said it still planned to resume classes on January 6, with its buildings set to reopen four days earlier.

New York-based cyber expert Vitali Kremez told De Limburger that TA505 was responsible for the attack. He said the group distributes Clop, a ransomware program first discovered in February 2019.

Security firm Fox-IT was working with the university on the forensic investigation and recovery of UM systems hit in the ransomware attack, where hackers encrypt files with a password only they know. Once a ransom is paid, the password is revealed to decrypt the affected files.

"TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware," said global cybersecurity business Trend Micro.

Kremez also noted the hacker group's focus on public institutions, because data recovery is urgently necessary for them "The chance that they will pay ransom is therefore greater," he told De Limburger.

"Almost all Windows systems have been affected and it is particularly difficult to use e-mail services," the university said on Christmas Eve. "Extra security measures have been taken to protect (scientific) data. UM is investigating if the cyber attackers have had access to this data."