Cyber Incident Victim: Maastricht University
Date:
Dec 2019
Location:
Netherlands
Summary
Maastricht University experienced a ransomware attack that encrypted nearly all Windows systems, forcing a precautionary shutdown of all university systems and severely disrupting email services and operations. The institution engaged IT personnel and external security experts to restore services, conduct forensic investigations, and assess potential unauthorized access to scientific data, while also notifying law enforcement. Recovery efforts prioritized phased system restoration to resume education, with some critical systems returning online ahead of schedule; internal reports suggested Clop ransomware was responsible for the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 23, 2019, Maastricht University (UM) in the Netherlands suffered a ransomware attack that encrypted nearly all Windows systems across its network. The university publicly disclosed the incident on December 24, noting significant disruptions to email services and operational functions. UM, which serves over 18,000 students, 4,400 employees, and 70,000 alumni, immediately initiated an investigation to determine whether attackers accessed or exfiltrated scientific data prior to encryption. As a precaution, the university implemented additional security measures to protect research data and temporarily took all systems offline to contain the incident. Forensic efforts commenced alongside system restoration work, though the scale of the attack—affecting the majority of UM’s computing infrastructure—made recovery timelines difficult to estimate. The university’s Executive Board and faculty deans acknowledged the disruption to academic and administrative activities, pledging accommodations for affected students and staff while prioritizing phased system restoration.
UM’s IT department collaborated with external security specialists to repair encrypted systems and conduct forensic analysis, with the incident reported to Dutch law enforcement as required by national regulations. By December 30, UM announced that critical systems would begin reactivation on January 2, 2020, allowing educational activities to resume by January 6. Internal reports later identified the Clop ransomware strain as responsible for the attack, though no official confirmation was issued. Throughout the response, the university maintained communication channels via a dedicated ICT Servicedesk, enabling students and employees to seek assistance using private email accounts or phone support. The institution’s global academic standing—ranked among the world’s top 500 universities—highlighted the operational and reputational stakes of the incident, which necessitated a week-long system-wide shutdown during the investigation and recovery phases.