{ "id": "cc83b206-bab7-46ea-99d1-623e7c43ea77", "created_at": "2026-04-06T00:09:45.062303Z", "updated_at": "2026-04-10T03:36:36.686859Z", "deleted_at": null, "sha1_hash": "32759435eb439fb20f69b74381c940fb5c9fee2a", "title": "TA505 Hackers Behind Maastricht University Ransomware Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1166797, "plain_text": "TA505 Hackers Behind Maastricht University Ransomware Attack\r\nBy Sergiu Gatlan\r\nPublished: 2020-02-07 · Archived: 2026-04-05 22:25:48 UTC\r\nMaastricht University (UM) disclosed that it paid the 30 bitcoin ransom requested by the attackers who encrypted some of\r\nits critical systems following a cyberattack that took place on December 23, 2019.\r\nUM is a university from the Netherlands with roughly 4,500 employees, 18,000 students, and 70,000 alumni, placed in the\r\ntop 500 universities in the world by five different ranking tables during the last two years.\r\n\"Part of our technical infrastructure was affected during the attack. That infrastructure consists of 1,647 Linux and Windows\r\nservers and 7,307 workstations,\" the university explains in a management summary of the Fox-IT incident report and UM's\r\nresponse.\r\nhttps://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"The attack ultimately focused on 267 servers of the Windows domain. The attacker focused on encrypting data files in the\r\nWindows domain. The backup of a limited number of systems was also affected.\"\r\nUM says that all critical systems now have online and offline backups to avoid facing a future total failure scenario in the\r\nevent of another ransomware attack.\r\nFox-IT connects TA505 to the attack\r\n\"The modus operandi of the group behind this specific attack comes over with a criminal group that already has one has a\r\nlong history, and goes back to at least 2014,\" says Fox-IT in its full report to UM (in Dutch).\r\nTA505 (also tracked SectorJ04) is a financially motivated hacker group known for mainly targeting retail companies and\r\nfinancial institutions since at least Q3 2014. (1, 2)\r\nThey are also known for using remote access Trojans (RATs) and malware downloaders that delivered the Dridex and Trick\r\nbanking Trojans as secondary payloads during their campaigns, as well as several ransomware strains including Locky,\r\nBitPaymer, Philadelphia, GlobeImposter, and Jaff on their targets' computers[1, 2] now also including Clop ransomware\r\nafter the attack on UM.\r\nAccording to Fox-IT, the hackers were able to infiltrate the university's systems via two phishing e-mails that were opened\r\non two UM systems on October 15 and 16.\r\nUntil November 21 when they gained admin rights on an unpatched machine, the attackers moved through UM's network\r\ncompromising servers left and right until it finally deployed the Clop ransomware payload on 267 Windows systems.\r\nThe university paid the ransom to have the files decrypted on December 30 after closely analyzing the options including\r\nrebuilding all infected systems from scratch or attempting to create a decryptor.\r\n\"During the investigation, traces were found that show that the attacker collected data regarding the topology of the network,\r\nusernames, and passwords of multiple accounts, and other network architecture information,\" the report summary says.\r\nAlso, Fox-IT says that it \"did not find any traces within the scope of the investigation that point to the collection of other\r\ntypes of data.\"\r\nRansom paid to avoid data loss and months of downtime\r\nAfter the attack, UM secured the services of security company Fox-IT to assist with the incident's forensic investigation, the\r\ncrisis management process, and to provide advice during the recovery according to official statements part of a press\r\nconference from February 5.\r\nWhile UM added that the forensic research \"indicates how cybercriminals have taken some of UM's data hostage,\" research\r\nand personal data was not exfiltrated.\r\nHowever, the university will continue investigating if this conclusion is 100% accurate via \"follow-up research into possible\r\nextraction\" of important data files representative of education, research, and business operations as Fox-IT recommends.\r\nUM also disclosed that it acquired the ransomware decryptor from the attackers by paying a 30 bitcoin ransom (roughly\r\n$220,000 or €220,000) to restore all the encrypted files as Reuters reported.\r\nThis allowed UM to avoid having to rebuild all the compromised systems from scratch, losing all the research, educational,\r\nand staff data and delaying exams and salary payments to the university's 4,500 employees.\r\n\"It is a decision that was not taken lightly by the Executive Board. But it was also a decision that had to be made,\" UM says.\r\n\"We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible\r\nchoice when considering the interests of our students and staff.\r\nhttps://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/\r\nPage 3 of 4\n\n\"The fact that on 6 January and thereafter we were able to have teaching and exams take place, more or less as planned, that\r\nUM researchers suffered little or no irreparable damage, and that we were also able to make the salary payments for 4,500\r\nemployees on time, strengthens our confidence that we made the right choice.\"\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/\r\nhttps://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/" ], "report_names": [ "ta505-hackers-behind-maastricht-university-ransomware-attack" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434185, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32759435eb439fb20f69b74381c940fb5c9fee2a.pdf", "text": "https://archive.orkl.eu/32759435eb439fb20f69b74381c940fb5c9fee2a.txt", "img": "https://archive.orkl.eu/32759435eb439fb20f69b74381c940fb5c9fee2a.jpg" } }