Ransomware is a nightmare for 21st century IT organizations.  You wake up one morning and you’re locked out of all your systems.  If you had the discipline – and more importantly, the budget – you might have a security team to quickly strip and reprovision servers, an admin crew to flash back backups, and leadership to manage through the crisis with users.

The reality is more often that management is faced with a tough choice between paying criminals and massively disrupting its operations.  It’s all well and good to take the noble stance that you won’t enrich scummy thieves, but when your systems are down and users are howling – and that howling can be everything from products that can’t be shipped to prescriptions that can’t be filled – the urge to pay and get things back to normal can be overwhelming.

If you do decide to pay, it’s real-world dollars that are going out the door.  It’s one thing if you’re a huge multinational bank.  But what if you’re a university?  Not only does your IT budget probably limit your options for recovery, but the entire organization faces a serious compromise of its ability to perform its mission.

Unless, of course, you make a huge profit on the transaction.

Locked Out and Cornered

In an unusual twist to a story of cybercrime, a portion of a Bitcoin ransom paid by Maastricht University during a devastating 2019 ransomware attack was not only been recovered—but appreciated in value enough to turn a profit.

Back in 2019, Maastricht University (UM) in the Netherlands fell victim to a ransomware attack that crippled its infrastructure. Hundreds of Windows servers and backup systems were encrypted, cutting off 25,000 students and faculty from scientific research, email, and critical university services.

Faced with academic chaos and the looming loss of personal data, the university opted to pay a €200,000 ransom in Bitcoin (then worth about $208,000 USD) after a week of downtime. It was a difficult decision, but necessary to restore operations and prevent further disruption.

As part of the subsequent investigation, Dutch authorities managed to trace part of the ransom—around €40,000 worth of BTC—to a Ukrainian money launderer’s account. The account was seized in 2020, and Dutch prosecutors held onto the cryptocurrency as legal proceedings unfolded.

Fast forward to 2022, and here’s the kicker: that €40,000 in Bitcoin had grown to a staggering €500,000 due to the cryptocurrency’s meteoric rise in value.

From Crisis to Student Relief

Instead of folding the windfall into their general budget, the university did something unexpected: they allocated the recovered funds to a student hardship fund.

“This money will not go to a general fund, but into a fund to help financially strapped students,” said UM ICT director Michiel Borgers.

It’s a fitting end (or middle—investigations are ongoing) to a harrowing incident that could have ended much worse.

Even without recovering the full €200K ransom, the university recouped more than double what ot paid, thanks to the crypto market’s wild ride. While this doesn’t mean paying ransoms is a good idea, it certainly adds a layer of irony to the situation—and perhaps a glimmer of good fortune in an otherwise grim tale of cyber extortion.

Have your own story of ransomware headaches or crypto-related silver linings? Drop us a comment or email—especially if you’re self-hosting and managing your own backups!

raindog308

Raindog308 is a longtime LowEndTalk community administrator, technical writer, and self-described techno polymath. With deep roots in the *nix world, he has a passion for systems both modern and vintage, ranging from Unix, Perl, Python, and Golang to shell scripting and mainframe-era operating systems like MVS. He’s equally comfortable with relational database systems, having spent years working with Oracle, PostgreSQL, and MySQL.

As an avid user of LowEndBox providers, Raindog runs an empire of LEBs, from tiny boxes for VPNs, to mid-sized instances for application hosting, and heavyweight servers for data storage and complex databases. He brings both technical rigor and real-world experience to every piece he writes.

Beyond the command line, Raindog is a lover of German Shepherds, high-quality knives, target shooting, theology, tabletop RPGs, and hiking in deep, quiet forests.

His goal with every article is to help users, from beginners to seasoned sysadmins, get more value, performance, and enjoyment out of their infrastructure.

You can find him daily in the forums at LowEndTalk under the handle @raindog308.