Maastricht University shares lessons learned about ransomware attack at the end of 2019

On December 23, 2019, Maastricht University became the victim of a ransomware attack. Fox-IT specialists were hired to assist them in getting the systems back up and running as quickly as possible and to conduct forensic investigations.

On February 5, 2020, UM published a report in which it reports on the incident and the future in an open and constructive manner.

The original report can be found here:

We have listed the most important lessons learned from the report for you:

  • Better ‘awareness’ and handling of (reports of) ‘phishing emails’
  • Technical measures
    • Accurately updating the software
    • Improving Windows domain segmentation.
    • Setting up 24/7 monitoring by means of a SIEM and/or SOC.
    • Configuration Management Database
  • Duplicate backups

This is very much in line with what Spinae advises the companies.

Better ‘awareness’ and handling of (reports of) ‘phishing emails’

Ensure that employees are well informed about the risks and teach them proper cyber hygiene. Do not consider this a one-off action, but something that needs to be worked on continuously.

Technical measures

Many technical measures are possible. It is important to find out which technical measures are relevant to your company and to realize that technical measures are not a silver bullet. The technical measures cited by Maastricht University cannot therefore simply be mirrored on your company. However, there are a number of basic things mentioned that are also very important for your company, such as installing updates and having an accurate inventory of all systems (CMDB).

Duplicate backups

In a ransomware attack, backups are your so-called ‘last line of defense’. It is therefore particularly important to shield them well. In fact, different types of ransomware initially look for your backups to render them useless, and then begin to encrypt your data. What Maastricht University means here by ‘double backups’, Spinae often translates as ‘air-gapped backups’: make sure there is no electronic connection between your ‘last line of defense’ and the rest of your infrastructure. For example, take backups to disk systems to be able to quickly restore in common situations, but also ensure periodic backups to an external medium (external hard disk, tape) and ensure that this external medium is also disconnected from the systems. Be sure to keep this external media in a different location.


It is admirable and noble that Maastricht University communicates so openly about this. It naturally fits in with their mission as an educational and research institution to ensure that knowledge can be disseminated.

Unfortunately, we have to state once again that it is no longer a question of ‘if’ a cyber attack could happen, but ‘when’ it will happen. And then you better be well prepared…

Let yourself be guided by experts to develop good security, tailored to your company. Because every company is unique.