Cyber Incident Victim: Ruhr University Bochum
Date:
May 2020
Location:
Germany
Summary
Ruhr University Bochum experienced a ransomware attack targeting its central IT infrastructure, prompting a widespread shutdown of servers including backup systems and disrupting critical services such as email, VPN access, and internal portals. While Windows-based systems were compromised, Linux and macOS systems remained unaffected, and certain applications like RUB-Mail, Zoom, and digital teaching platforms continued operating normally. The university collaborated with external security experts to assess the damage, confirming server encryption but stating no user data was compromised. The incident also prompted warnings from the closely affiliated University of Duisburg-Essen about potential cross-infection risks due to shared interfaces.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 7, 2020, Ruhr University Bochum (RUB) announced it had shut down large portions of its central IT infrastructure, including backup systems, following a ransomware attack detected overnight between May 6 and May 7. The incident caused widespread disruptions starting around 8:00 AM on May 7, affecting access to critical services including the Outlook email program, VPN connections required for remote work, and the university’s internal service portal. With over 42,900 students and 5,800 employees impacted, RUB confirmed the cyberattack at 10:35 AM, revealing that attackers had targeted its central IT infrastructure. The university implemented immediate containment measures, powering down all central servers and backup systems potentially exposed to the ransomware. IT Services further recommended that faculties independently shut down Windows-based server systems as a precautionary step, though the specific ransomware variant remained under analysis at the time.
RUB issued detailed guidance to mitigate risks, advising students and staff to restrict Windows application usage to essential communications, avoid opening email attachments, and share documents exclusively as PDFs. Administrative systems and Exchange-based email services remained offline during the initial response phase. However, key academic platforms including RUB-Mail, Moodle, Rub-Cast, Zoom, and Matrix (Riot) remained operational, with the university explicitly stating these Linux and macOS-based systems were unaffected and safe for maintaining digital teaching activities. By May 8, RUB’s investigation indicated Windows-specific malware as the attack vector, with no evidence of compromise to Linux or macOS infrastructure. In an official FAQ, the university confirmed server systems had been encrypted but asserted no user data was impacted based on preliminary findings. RUB collaborated with external security experts to assess damage scope and formulate recovery plans, while the University of Duisburg-Essen issued parallel advisories highlighting infection risks through shared interfaces with RUB. No data exfiltration or specific malware strain was publicly confirmed during the initial disclosure period.