Maastricht University Clop ransomware (Netherlands, 2019)

TA505 used Clop ransomware to encrypt 267 Maastricht University servers over Christmas 2019 after two phishing emails on 15–16 October had compromised the network. The university paid 30 BTC (~$220,000). The ransom Bitcoin — later seized from a money mule — was returned and had appreciated, leaving the university ahead by ~$300,000.

In December 2019, Maastricht University in the Netherlands suffered a Clop ransomware attack delivered by the TA505 crew. The encryption hit at one of the worst possible times — 23 December, just as students and most staff were leaving for Christmas — and shut down 267 servers including backups. The university paid 30 BTC (~$220,000) on 30 December to restore operations.

What happened

The intrusion started small. On 15 October 2019 two phishing emails were sent to university staff; one was opened, and TA505 had its foothold. Over the next five weeks the attackers moved laterally through the network. On 21 November, they gained admin rights on an unpatched server — a single missing patch on a single host. That box became the pivot from which Clop ransomware spread to 267 Windows servers, including the backup infrastructure.

Detection came on 23 December. Fox-IT was engaged for forensics. The university weighed two options: pay the ransom or rebuild every affected system from scratch with no guarantee of timeline. After a week of analysis the university paid 30 BTC (~$220,000) on 30 December.

The case had an unusual coda. Dutch police later seized a portion of the ransom Bitcoin from a money mule. By the time the funds were returned to the university in July 2022, Bitcoin had appreciated enough that the university ended up roughly $300,000 ahead of its original payment.

Impact

267 servers encrypted, including backups.
~$220,000 ransom paid.
Operations restored within days of payment.
Root cause: a single unpatched server.
Coda: Dutch police seized a portion of the Bitcoin; appreciation left the university with a net profit on the ransom payment.

Why it matters

Maastricht University is a textbook public-sector ransomware case: a single unpatched host enabled lateral movement to backup servers, removing the "restore from backup" option. The Fox-IT report has been cited widely in European higher-education security planning. The Bitcoin-recovery coda — paying a criminal in Bitcoin and ending up ahead — is also one of cybercrime's stranger outcomes.

Timeline

October 15, 2019

Two phishing emails reach Maastricht University staff; one is opened. TA505 establishes initial access.

2019-10-15 — 2019-11-21

Attackers move laterally through the network; on 21 November they gain administrative rights on an unpatched machine.

December 23, 2019

Clop ransomware encrypts 267 of the university's Windows servers, including backups.

December 30, 2019

After weighing options including rebuilding from scratch, Maastricht pays 30 BTC (~$220,000).

February 1, 2020

Fox-IT publishes its investigation: a single unpatched server was the pivot point that allowed the malware to spread to all 267 affected machines.

July 1, 2022

A portion of the Bitcoin ransom — earlier seized by Dutch police from a money mule — is returned to the university. Bitcoin appreciation means the university ends up roughly $300,000 ahead of the original payment.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/

securityweek.comhttps://www.securityweek.com/netherlands-university-pays-240000-after-targeted-ransomware-attack/

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/maastricht-university-wound-up-earning-money-from-its-ransom-payment/

fortune.comhttps://fortune.com/2022/07/06/university-of-maastricht-recovered-bitcoin-paid-in-ransomware-attackand-worth-510000-twice-value-at-time/

grahamcluley.comhttps://grahamcluley.com/dutch-university-ransomware/

Related incidents

RansomwareRansom paidJuly 23, 2020

Garmin WastedLocker ransomware (Evil Corp)

Evil Corp deployed the WastedLocker ransomware against Garmin, taking flyGarmin aviation services, Garmin Connect, and inReach satellite messaging offline for five days. Garmin paid an estimated $10M ransom despite OFAC sanctions on Evil Corp.

Victim: Garmin Ltd.
Loss: $30.0M

RansomwareUnknownMay 7, 2026

Académie de Montpellier: sensitive document leak after a cyberattack

The MedusaLocker ransomware group claims to have compromised systems linked to the Académie de Montpellier / CSJM and is threatening to publish documents

Victim: Montpellier education authority

RansomwareRansom paidJune 8, 2024

KADOKAWA / Niconico BlackSuit ransomware (2024)

Phishing access let BlackSuit (Russian-linked) encrypt KADOKAWA's infrastructure and the Niconico video-sharing platform, taking services offline for two months. KADOKAWA paid ~$2.9M in cryptocurrency — and BlackSuit leaked the stolen 1.5 TB anyway.

Victim: KADOKAWA Corporation
Loss: $2.9M
Records: 254.2K

RansomwareContainedOctober 28, 2023

British Library Rhysida ransomware (2023)

Rhysida ransomware operators destroyed servers, demanded ~£600,000, and leaked 600 GB of internal data when the British Library refused to pay. The main catalogue did not return online — read-only — until January 2024. Recovery is consuming 40% of the Library's financial reserves.

Victim: British Library
Loss: $8.5M