University ‘will never pay ransoms’ despite darknet data leak

A leading German university that refused to pay a ransom to hackers has vowed to do the same in future, after attackers leaked stolen data on the darknet.

“As a matter of principle, the University of Duisburg-Essen [UDE] does not respond to digital extortion by criminal organisations,” Barbara Albert, its rector, told Times Higher Education. “Since the UDE has not paid a ransom and will not do so in the future, the attackers have now published stolen data on the darknet.”

The information security website Bleeping Computer said it had reviewed the data leaked by the Vice Society hacker group, which appeared to include backup archives, financial documents, research papers and student spreadsheets. It was not able to confirm their authenticity.

Professor Albert said the November 2022 attack “created a complex situation with regard to the damage caused”, including the encryption of 1,200 virtual servers and takeover of a central system for controlling access.

The scale of the attack means the university has had to reconstruct its IT infrastructure. Raimund Vogl, president of the European University Information Systems Organisation and chief information officer at the University of Münster, said replacement hardware and security consultants could cost around €100,000 (£88,000), but that this would typically be dwarfed by the labour costs of having tens of IT and administrative staff working around the clock on recovery for months.

Ransoms of up to €200,000 – which Maastricht University paid in 2019 – would therefore cost less than recovery, although Dr Vogl noted that there were cases from industry of ransoms of €10 million, which “might challenge a university”. Another university cybersecurity expert, who asked not to be identified, said the costs involved in UDE’s recovery could be larger even than these private-sector ransoms. “In a case like this, I wouldn’t be surprised if the total cost is a two-digit number of millions of euros. And probably not with a one as the first digit,” they said.

“Of course, [it is] only if nobody pays, because it is impossible or because of moral considerations, [that] this business will come to an end,” said Dr Vogl, noting that even those institutions that decide to pay could struggle to source attackers’ preferred cryptocurrency before a ransom deadline.

Professor Albert said UDE had found “quick solutions for those areas in particular where studying, teaching, ongoing work for assessment and administrative operations needed to be ensured”. The university said it had managed to reset passwords for its approximately 40,000 users and provide off-campus access to the Moodle platform for 29,000 students.

Winter semester exams will take place as planned and students can apply for Erasmus+ exchanges for this summer or next winter as normal. It had to extend summer admissions deadlines for both bachelor’s and master’s courses. Pedro José Marrón, vice-rector for transfer, innovation and digitisation, said in a statement that “further increasing the previous security standards” would “have to take the time it takes”.

ben.upton@timeshighereducation.com