On Monday, December 23, 2019, Maastricht University fell victim to a major ransomware attack. Windows systems were shut down with this. Both students and staff were affected as a result. It was the start of an intensive collaboration for the educational institution, the police and the public prosecution in Limburg. Where the latter parties started a criminal investigation, the university hired a cybersecurity company to get the network and systems back up and running with its own staff.
The investigation started with the traces found. Metten Bergmeijer, team leader of the cybercrime team in the Limburg police: “Every form of crime leaves its mark, including crime in the digital world. Thanks to a good collaboration with the university and the cybersecurity company they hired, we were able to use the tracks they had secured. Such cooperation is essential in order to be able to carry out a good criminal investigation, ”explains Metten Bergmeijer. “You can compare it to a burglary. As police, we do not repair the door that the burglars destroyed, but we are interested in fingerprints or other traces left on that door in our investigation. ” At one point, the university was forced to pay the hackers a ransom of 197,000 euros. Metten Bergmeijer: “We have always been of the opinion that no payment should be made. But we respect and understand this choice in the light of all the dilemmas. ” Read more about this here.
The prosecution’s and police investigation was based on digital, economic and tactical angles. Crime does not stop at the border of an entity or a country, and not at all cybercrime. It was no different in this case. These tracks soon led the research team across the border. This resulted in close international cooperation with various countries. Data were requested from a large number of parties abroad. The payment from the university also left traces that took the research team a step further. Through a (digital) search that crossed many countries, a person in Ukraine was identified by the research team. The investigation team traveled to Ukraine in 2021, where the Ukrainian authorities, at the request of the investigation team, conducted a search of a home and spoke to those involved. The investigation that paved the way for the ultimate seizure of the cryptocurrency.
In February 2020, the research team froze a purse to which part of the paid ransom went. At that time, the value of the cryptocurrencies contained in it was about 40,000 euros. Freezing the purse guarantees that nothing can happen to the money because the owner of the purse no longer has access to them. In order to then actually have access to the wallet, a legal process must lead to formal seizure. For this purpose, claims and requests for legal assistance were to be made, inter alia, to international partners. A long-term path that eventually led to the cryptocurrency being formally seized by the public prosecutor in April 2022. Due to the exchange rate changes on the cryptocurrency, the value has risen to around 500,000 euros. More than the university paid at the time.
Georges van den Eshof (Prosecutor for Cybercrime): “Legal action still needs to be taken, but the Public Prosecutor’s Office will do everything in its power to obtain this entire amount from the university. They paid around 200,000 euros in ransom at the time, but the damage they suffered was obviously much greater. Think about purchasing new systems and the work of getting the network up and running again. The main purpose of the seizure is to compensate the university as much as possible. That was also one of the goals of our criminal investigation. ” In addition to this excellent result, the police and the prosecution also learned from this investigation. Metten Bergmeijer: “This was intercepted by the Limburg cybercrime team at the time. In recent years, we have learned from this and other studies that event-driven work is less effective than working from the bigger picture. That’s the reason why Ransomware Taskforce was created. “Read more about this here.
Making a statement pays off
Metten Bergmeijer: “In the field of cybercrime, and certainly when it comes to ransomware, arresting suspects has shown little chance of success. They are often located in countries with which the Netherlands has no international cooperation. So we have to use something else. Statements provide us with a crucial part of the information we need for this. It helps us to better understand crime and find the places where we can hit criminals the hardest. For example, criminals need to communicate with each other, launder their money, or gain access to systems. We must aim to disrupt, frustrate and prevent the criminal process. We are currently using this approach in the Ransomware Taskforce, where specialists from the regional cybercrime teams and the High Tech Crime Team from the national unit work together to interrupt, detect and prevent ransomware according to this principle. As police, we are investigating whether this method can also be used to combat other forms of cybercrime. As police, we do not do it alone. To this end, we enter into smart alliances with companies and educational institutions at home and abroad. ”