The University of Maastricht in the Netherlands is currently struggling with a ransomware attack. It’s not yet known who is behind the attack or what was the motivation, but university activities are currently frozen as a process.
The university acknowledged the attack publicly on its website. The major concern is that the attackers could be after scientific data, which Maastricht University has plenty of, but a spokesperson appears confident the data is safe. “The university has been hit by a serious cyber attack in which almost all Windows systems have been hit,” said spokesperson Gert van Doorn of Maastricht University . “We no longer have access to data. Our scientific data is extra protected in a different system. We are investigating whether cyber attackers can get to it. The expectation is that this is very difficult.”
Over the next couple of hours, the university added updates to their online announcement regarding the attack with additional details. First, they confirmed that it was indeed a ransomware attack and that all DHCP servers, exchange servers, domain controllers and network drives have been encrypted. Next, they confirmed that the culprit was, in fact, the Clop ransomware, which was discovered back in February 2019 and is a variant of the CryptoMix ransomware.
Clop focuses on complete computer networks, rather than individual, personal computers. As soon as the virus has invaded a network, it encrypts as many files as possible, adding a .clop extension to the file names. Once total encryption is completed, the ransomware places an unencrypted text document on the network, containing email addresses that victims can contact for payment instructions.
The ransomware first tries to close important Windows processes to encrypt the presumably important files in use by them. To achieve this, the virus has a list of fixed hashes for popular programs like Microsoft Office and various web browsers. Clop also contains a batch command that blocks data recovery attempts. There is currently no decryptor available for victims.
Despite being closed for Christmas, the university keeps certain facilities open for students working on their thesis or otherwise interested in sources from the library.