Cyber Incident Victim: OSG Hengelo
Date:
Jun 2023
Location:
Netherlands
Summary
OSG Hengelo was targeted in a ransomware attack that compromised an undetermined amount of data, which remained under investigation. The school community opted to close a deal with the hackers responsible for the incident. Following the attack, services including WiFi and nearly all printers were restored for use by employees and students.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 13, 2023, the school community OSG Hengelo publicly disclosed it had been the victim of a ransomware attack. The school’s board communicated directly with students and parents regarding the incident, acknowledging the cyberattack had occurred. The nature of the attack involved the encryption of systems by malicious actors, a common characteristic of ransomware operations, which disrupts normal operations by making data and devices inaccessible to the legitimate owners. In response to the operational paralysis caused by the attack, the institution engaged in negotiations with the threat actors responsible. These negotiations culminated in an agreement, described as the school having "closed a deal with hackers." This phrasing indicates a financial transaction likely took place, wherein OSG Hengelo provided payment to the attackers in exchange for the decryption keys necessary to restore their locked systems and data. The primary immediate impact of the incident was a significant disruption to the school's IT infrastructure and daily educational activities. Critical services such as WiFi access for employees and students were rendered inoperable, severing a fundamental tool for both administrative functions and classroom learning. Additionally, the school's printing capabilities were almost entirely disabled, indicating that the ransomware payload successfully propagated across network-connected devices, affecting a range of systems beyond core servers.
The school's incident response process involved a methodical restoration of services following the acquisition of the decryption tools from the attackers. The reinstatement of WiFi access was a prioritized action, allowing the school community to regain connectivity and begin a return to normal operations. The near-complete restoration of printer functionality was another key milestone in the recovery process, suggesting that the decryption keys provided by the threat actors were effective and that IT personnel were able to systematically apply them to affected endpoints. A major ongoing concern for the school following the technical recovery was the uncertainty surrounding data exfiltration. OSG Hengelo explicitly stated that it remained unclear precisely what data the hackers had obtained during the breach. The possibility of a double-extortion tactic, where attackers both encrypt systems and steal data with the threat of its public release, was not confirmed but also not ruled out by the school's administration. This lack of clarity regarding the scope of data access meant the full impact of the incident could not be immediately determined.
The investigation into the specific data accessed or acquired by the attackers was stated to be ongoing at the time of the public announcement. The school board committed to transparency with its students, parents, and employees, promising to provide further updates as more information became available regarding the data exposure. The communication strategy focused on directly informing the affected parties, acknowledging the breach while managing uncertainty by pledging to share conclusive findings at a later time. The decision to negotiate with and pay the ransomware actors represents a significant aspect of the organization's response strategy. This action is typically undertaken to expedite recovery when backups are unavailable, incomplete, or when the cost and time required for a full restoration without the decryption key are deemed more detrimental than the ransom payment itself. The successful deal-making implies the attackers provided a working decryption solution, which the school's IT team then deployed to regain access to their systems.
The consequences of the attack extended beyond mere technical disruption, impacting the entire school community. The interruption of core IT services like WiFi and printing directly affected the educational process, likely causing cancellations or alterations to classes and administrative functions. The psychological impact of the attack, including concerns over the potential exposure of personal information, also constituted a significant consequence for students, parents, and staff. The full financial impact, encompassing the ransom payment itself, costs associated with the investigation, remediation efforts, and potential regulatory or legal repercussions, was not detailed in the available information. The incident serves as an example of the direct operational risks faced by educational institutions from ransomware groups, where the immediate need to restore critical learning environments can influence response decisions. The restoration of nearly all printers and the WiFi network indicates a substantial recovery effort was achieved, allowing the school to resume its primary functions while the forensic investigation into the data aspect of the breach continued.