Target of a hacker attack: Campus of the University of Liechtenstein in Vaduz.
The University of Liechtenstein was hacked on the night of August 15-16. Three weeks later, many IT systems are still offline. The example of other universities shows that remedying the consequential damage can take several months.
04.09.2021, 11:5704.09.2021, 16:17
It was a rude awakening after the national holiday at the University of Liechtenstein in Vaduz. The first and only university in the principality with around 800 students and 200 employees was the victim of a ransomware attack in mid-August, as watson reported. Unknown criminals broke into the university systems and paralyzed all local IT systems with an encryption or blackmail Trojan.
Initially, the university was completely out of action: employees temporarily had no access to their e-mail accounts, students are still unable to register for courses as usual and the regular website is still offline. A provisional website at www.uni.li provides information about the consequences of the hacker attack, all other pages and the login-protected areas are offline.
“The registration for the interdisciplinary electives has to be carried out differently this semester than usual,” the university informed the students. A corresponding tool had to be set up in a hurry for this. General information for students will be made available temporarily via the online storage service Dropbox.
Hackers paralyze hardware and software
Three weeks after the ransomware attack, the university is still struggling with the consequences of the hack, which was apparently massive: “In principle, all IT systems at the University of Liechtenstein (hardware and software) are affected by the ransomware attack”, confirms Herwig Demon, Head of Communication, on request. The hackers also paralyzed the digital locking system of the university building, for example.
Only those “applications that were previously outsourced to the cloud as part of the ongoing IT program” were spared, according to Demon.
Systems could fail for months
Previously attacked universities showed that a massive ransomware attack can take months to deal with. The Technical University of Berlin was the target of a cyber attack at the end of April 2021. The repair of the consequential damage is still going on four months later. The expenditure of time is enormous, since countless IT systems not only have to be restored, but also made more secure. Because the threat situation is constantly increasing, or to put it another way: after the hack is before the next cyber attack.
Start of the semester with Corona and blackmail trojan
The ransomware attack on the University of Liechtenstein in mid-August took place during the semester break. Luck in bad luck, one might think. But the new semester began on September 1st and employees and students continue to have to do without various IT systems. That doesn’t make the start of the semester easier in Corona times.
Initial progress has now been made in Vaduz: “Fortunately, we have managed to regain access to our data,” writes the university. Therefore, despite all the hardship, the winter semester could start at the beginning of September.
Uni warns employees and students of further risks
The university reacted quickly to the ransomware attack and announced the attack the next day. A possible data leak was not concealed.
Employees and students will be informed about the other possible risks of the malware attack on the provisional website:
«An important security note for all lecturers, students and employees: If you have also used the password for your university account for private accounts (Google, Amazon, Facebook, etc.), change it immediately. Also activate the 2-factor authentication for the privately used accounts, if this is offered. “
In the event of a ransomware attack, it is likely that the perpetrators not only block IT systems, but also steal data. This usually also affects employees or, in this case, students. Therefore, you should never use the same password for university and company accounts as for your private e-mail account.
Hackers also protect themselves with data theft: if the victims can restore their encrypted IT systems using a backup, the blackmailers threaten to publish the stolen data or to give valuable information such as passwords, postal addresses or social security numbers to the highest bidder on relevant underground marketplaces Selling. In this case, too, an outflow of data is at least a realistic scenario.
Several questions remain open
The university writes:
“It remains to be seen who is responsible for this ransomware attack. The University of Liechtenstein is not aware of any claims in this regard. Criminal charges were filed, the police are investigating. “
University of Liechtenstein
Even three weeks after the hack, several questions remain unanswered:
Has any data been stolen? From the university or from employees and students?
Why were IT systems encrypted and no ransom demanded afterwards? Usually attackers leave a message asking them to transfer a ransom. In return, the blocked IT systems are often restored, but of course the victims have no guarantee for this.
And: How did the attackers penetrate the university systems? Ransomware attacks often begin with phishing attacks, whereby criminals gain access to the IT system by exploiting a mistake or oversight on the part of an employee. The hackers, for example, copy the website of a university in order to steal the login details of those affected.
Universities are popular targets
Universities are grateful ransomware victims because there are naturally numerous gateways (campus computers, library computers, etc.), a lot of data is exchanged and some of them have small security teams. In addition, students can access certain systems from their private devices.
Universities are repeatedly targeted by blackmail hackers. “With our security measures, we intercept thousands of unwanted e-mails in connection with phishing, spam and malware every day,” said Eva Tschudi, Head of Communication at the University of Applied Sciences in Eastern Switzerland, to the daily newspaper. “One way or another, encryption Trojans find their way into the house again and again.” It should look no different at other educational institutions.
The University of Liechtenstein refers to the ongoing investigations: Due to the investigations in which the Liechtenstein National Police is involved, no further statements can be made.
In the past few days and weeks, various ransomware attacks on Swiss companies and authorities have become known: for example Comparis, the Pallas clinics and the incidents at Saurer, Habasit, Rolle and Matisa uncovered by watson. They show by way of example: Anyone and everyone can be affected by a ransomware attack. It is important to prepare strategically for such a crisis and to have an emergency plan.
Victim of a ransomware attack? That is why those affected should not pay
The project «No More Ransom» provides free decryption tools for victims of ransomware attacks. There are currently 121 free decryption tools that can decrypt 151 ransomware families. Over the past five years, more than six million ransomware victims have been able to decrypt their files without paying a ransom. The extortionists are said to have escaped 900 million euros (973 million francs) so far. Europol, the Dutch police, Kaspersky and McAfee are behind the “No More Ransom” project.