Cyber-attacks have always been considered a threat to many private and governmental institutions, even prior to the Covid-19 pandemic. Although ransomware cases were instrumental to many cyber-attack operations in 2019, an emphasis was given to the higher risk industries, and less to the lower risk realms and governmental institutions.
Academia, being the epitome of the lowest end of the low-risk industry, was never fully considered a viable source of ransomware. This false notion of security has led to an unprecedented attack in late December of 2019.
Maastricht University, one of the leading universities in the Netherlands and globally, has suffered an unprecedented attack on their servers, causing immense damage to the university and the Dutch high education system’s reputation as a whole.
In a period prior to the Covid-19 pandemic, which for some may see a lifetime ago, ransomware and cyberattacks had been conducted as an underlining current. The pandemic has raised and highlighted the issue of ransomware, due to the exceeding amounts of cases and the high volume of ransom demands. Yet, a year ago, an unprecedented attack on Maastricht University’s servers has led to a sincere wake-up call for the higher education system in the Netherlands and the EU.
The attack, that took place on December 23rd 2019 targeted the university’s servers. The servers held valuable research, information of students and employees of the university, emails had been blocked, registration for exams and courses had been hindered, and files and programs of the university had been blocked.
The type of malware that was used is Clop ransomware, which includes the full blocking of access to the university servers.
The university was then faced with a choice of either paying a ransom of 200,000 to 300,000 EUR that was demanded in Bitcoin . The good faith shown by the university in the payment was not considered worthy by the hackers, and they only released part of the information held by them. This led to an on-going investigation and management of the breach by the university and Fox-IT BV.
Although being a US-issued document, OFAC Recommendations on ransomware answers the most pivotal questions, that Maastricht University had to answer, in the most clear-cut method possible.
The initial crystallization of allowing payment of a ransom in Cryptocurrencies , on any level, bypasses the EU framework and may have helped Maastricht University in their on-going handling of the attack.
OFAC has declared that assisting ransom in cryptocurrency cases is not deemed compliant with the US regulations, to an extent that companies and individuals which will assist the ransomware, will be considered aiding the attack. Be that as it may, it is possible to receive special permission from OFAC for subjecting their crypto platform to the execution of the ransom payment.
6 AMLD is the most updated piece of legislation, on a Directive level, in the EU. The notion of money laundering has been discussed to a great extent by the EU regulators, yet not sufficiently enough. Due to the fact that
cryptocurrencies are not harmonized on a regulatory level, leads to many lacunas in the market, which in turn lead to unclear cases on how to deal with cryptocurrencies, ransomware and related topics on an EU level. It would be wise that ESMA would take an initiative and follow their American colleagues in asserting a framework on a pan- EU level. Thus, how can one expect the EU to follow their US counterparts when its own institutions do not initiate negotiations between one another?
The bizarre notion of EU agencies and institutions not corresponding with one another is not a novelty. The EBA issued a statement in which cryptocurrencies should be regulated on an international level, yet the only public correspondence between the EBA and ESMA is dated to August 2019, which is completely irrelevant in a post-Covid 19 era. There is no CTF/ AML task force on the EU level, and as it seems, it is unlikely to be formed prior to the end of the pandemic. This leads to the understanding that institutions in the EU are left to take care of their own cyber and AML practices and compliance, with no real guidance from the EU.
Why the attackers targeted Maastricht University, and whether it was initiated by dissatisfied former students, or other individuals, is yet to be discovered. However, academia and universities in the EU should take this unpleasant lesson, to say the least, as an example of how cyber practices should be conducted and how to prevent similar situations in the future.
Covid-19 may have increased the risk of ransom cases, but there is not a single target that is fully immune to the risk of cyber-attacks.
Miss Ella Rosenberg, an EU Regulatory and Defense Fintech Expert, and Mr Aviel Marciano, an HLS and due diligence expert, produced this article as a combined effort.