Hackers published a batch of internal documents from the Netherlands Organisation for Scientific Research (NWO) on the dark web yesterday, after the agency refused to pay up in a ransomware attack. The attack, which began on 8 February, has completely knocked out the agency’s grant application and review process and cut off NWO’s communication with applicants, grantees, and universities.
Ransomware attacks on organizations, companies, and even hospitals have become increasingly common, and some institutions have decided that paying is the easiest way to get computer systems back up or prevent the release of confidential data. NWO refused to do so. “On fundamental grounds, NWO, as part of the Dutch governmental institutions, isn’t willing to pay ransom,” the agency said in a statement yesterday. “Although NWO highly regrets the unfortunate situation of sensitive personnel documents being spread … NWO will not alter its position.” The funder says more stolen documents may end up in public “in the near future.”
NWO, whose nearly €1 billion budget makes it the main Dutch funding agency, disclosed the hack on 14 February. The agency can no longer use email, other apps, or its telephone lines; neither can a number of organizations affiliated with or hosted by NWO, including the Netherlands Initiative for Education Research and the European Polar Board. NWO has canceled many meetings until at least 15 March and says it can’t receive or pay bills; the best way for applicants and grantees to get in touch, the organization says, is via a frequently asked questions page. (The agency’s website was not affected by the attack.) “We’re very sorry for the inconvenience that this causes to our applicants,” a spokesperson says.
NWO’s grant application system runs on an external server that does not appear to be affected, but the agency says it was shut down indefinitely as a precaution while the case is being investigated. New granting rounds have been suspended and the review process for existing ones has come to a stop. NWO is working with a security company to get its system back up, but it’s unclear how long that will take.
Among the documents released yesterday were personnel data, the spokesperson says. NWO is still trying to find out what else the hackers got their hands on; it says it does not know whether confidential grant applications and reviews have been stolen.
Last month, hackers targeted another funding agency, UK Research and Innovation, but the impact was much smaller than in NWO’s case; UKRI last week said it recovered its data quickly without paying anyone, adding that there “is no evidence of any data theft from our systems.” The University of Amsterdam and Amsterdam University of Applied Sciences were both attacked in recent weeks, as well. There is no indication that hackers are specifically targeting the higher education and research sector, the NWO spokesperson says.
Another sophisticated attack brought research and education at Maastricht University, also in the Netherlands, to a virtual standstill in late 2019. The university later disclosed that it paid a ransom of 30 bitcoin, about €200,000 at the time, to have its systems unblocked.
NWO says the hack was committed using so-called DoppelPaymer ransomware, which emerged in June 2019, according to a recent FBI warning. “Prior to infecting systems with ransomware, the actors [steal] data to use in extortion schemes and have made follow-on telephone calls to victims to further pressure them to make ransom payments,” FBI wrote.