Share Maastricht University services offline through Clop ransomware – update 2
Maastricht University is struggling with a ransomware attack. As a result, ‘almost all Windows systems’ are offline and it is ‘extremely difficult’ to use Uni’s e-mail services. The scientific databases may still remain unaffected.
The university will announce this on its own website. Services affected include the library and the Student Portal. The educational institution says to 1Limburg that the scientific databases are in a different system, which is extra secured. It is being investigated whether the attackers also have access to it, but it is expected that this is ‘very difficult’. It is unclear whether it is a DDoS attack or another type of digital offensive.
Although it is the Christmas holidays, some of the students continue to work due to deadlines in January. As a result, the online library is also necessary during this period. At the moment, the university cannot provide an estimate of how long the problems will continue before services are restored. The origin of the attack can only be speculated at the moment.
Update, 16:22: a tweaker on a semi-private part of the forum states that it would be a ransomware attack, namely Clop. All DHCP servers, Exchange servers, domain controllers and network drives would be encrypted. Due to the holiday period, the Uni would have difficulty obtaining the necessary expertise to resolve the matter. Fox-IT would in any case have been overworked and that is why Maastricht University has approached the University of Antwerp, which has experience with Clop, claims the tweaker. He or she would have this from an internal email.
Update, 17:21: A university spokesperson confirms that it is Clop ransomware. Clop was discovered in early February 2019 and is a variant of the CryptoMix ransomware. Clop focuses on entire computer networks, rather than individual computers. Once the virus has penetrated a network, it encrypts as many files as possible and appends a .clop extension to the file names, which serves as an indication of compromise. When the encryption is successful, the ransomware places a readme file on the network. Typically, the readme includes email addresses, among other things. Victims can contact these addresses for payment instructions. The ransomware is known for often striking just before the weekend or major holidays to maximize its impact.
The ransomware first tries to shut down Windows processes, including Windows Defender. The virus does this to get to files that may be used by such processes. For this, the virus has a list of fixed hashes, with which the virus can close Steam, Microsoft Office programs and various web browsers, among other things. Clop also includes a batch file that prevents data recovery via possible shadow copies. There is currently no decryptor available for victims.