Earlier this month, the southern Maastricht University (UM) in Netherland with more than 22,000 students, revealed that it had retrieved the ransom paid after a ransomware assault that targeted its network in December 2019.
After a detailed investigation of the incident, Fox-IT researchers attributed the attack to a financially motivated hacker gang tracked as TA505 (or SectorJ04). The hacking group has been active since at least 2014 and has primarily targeted retail and financial organizations.
The hackers breached the university's systems through phishing e-mails in mid-October and installed Clop ransomware payloads on 267 Windows systems on December 23, after moving laterally via the network.
After a week, the university decided to accede to the criminal gang's demand and paid a 30 bitcoin ransom (roughly €200,000 at the time) for the ransomware decryptor. This was partly because private data was in danger of being lost and students were unable to take an exam or work on their theses. Secondly, the rebuilding of all compromised systems from scratch or creating a decryptor were not viable options.
"It is a decision that was not taken lightly by the Executive Board. But it was also a decision that had to be made," University explained in a blog post. "We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff."
However, as UM recently revealed, the local police traced and seized a wallet containing the cryptocurrency paid by the university as ransom in 2019.
"The investigation [..] eventually paved the way for the seizure of the cryptocurrency by the Dutch Public Prosecution Service. As early as February 2020, the investigation team froze a so-called wallet containing part of the paid ransom," UM said. The value of the cryptocurrencies found at that time was €40,000; at the current exchange rate, they are worth approximately €500,000."
Although this might appear like the university made a considerable profit within a relatively short time, the €500,000 seized by Netherlands' Public Prosecution Service represents significantly less than the damage inflicted during the ransomware attack. These seized funds are now in a bank account under the control of the law enforcement agents, and the Ministry of Justice has already initiated legal proceedings to transfer them to the university.