Cyber Incident Victim: Aristotle University of Thessaloniki
Date:
May 2017
Location:
Greece
Summary
A ransomware attack impacted Aristotle University of Thessaloniki, affecting a limited number of personal computers that were outdated and lacked Windows updates. The malware encrypted local files on USB devices and deleted administrative folder contents, prompting the university's IT administrators to implement containment measures to prevent further spread. The incident was part of a broader global cyberattack targeting government agencies, corporations like Telefonica and Renault, and educational institutions across multiple countries. Attackers exploited a Windows vulnerability patched months prior, using ransomware to lock files and demand bitcoin payments for decryption. The university advised users to back up data, update antivirus software, and disconnect external storage devices while technicians investigated the security breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 13, 2017, Aristotle University of Thessaloniki (AUTH) became a victim of a global ransomware campaign affecting organizations across at least 99 countries. The university's Electronic Governance Center administrators detected the incident after multiple users reported symptoms consistent with ransomware infection through the institution's User Service Helpdesk. Affected systems exhibited two primary malicious behaviors: encryption of local files on removable USB storage devices and deletion of files within administrative directories. Technical analysis confirmed the malware as a crypto-ransomware variant that locked files (including videos, photos, and Word documents) and demanded Bitcoin payments for decryption. The attack specifically targeted older, unpatched Windows systems within the university that lacked recent security updates, with compromised devices identified as personal computers rather than central administrative systems.
University administrators implemented immediate containment measures upon verification of the attack, including network isolation protocols to prevent further malware spread. A campus-wide advisory urged users to disconnect external backup devices (USB sticks, portable drives) and avoid opening email attachments from unknown senders. The institution emphasized verifying antivirus software updates and operating system patches, while technical teams conducted forensic examinations. Deputy Director Theodoros Laopoulos confirmed that only a limited number of outdated personal computers were compromised, with central university operations remaining unaffected. Concurrently, international investigations revealed the ransomware exploited a Windows vulnerability patched by Microsoft in March 2017, utilizing hacking tools originally developed by the NSA that had been leaked prior to the attacks. This global incident impacted major entities including Spain's Telefonica, France's Renault, Russian railways, FedEx, and educational institutions in South Korea, prompting emergency responses from multiple governments. The UK convened its COBRA emergency committee, while G7 finance ministers meeting in Italy pledged coordinated action against cybercrime. Despite widespread disruption, authorities including Ciaran Martin of the UK's National Cyber Security Centre clarified that file encryption did not necessarily indicate data theft, with ongoing investigations focused on attack methodologies and perpetrator identification.