Cyber-attack evaluation: crisis organisation worked well

From first signal to under control The cyber-attack started on Saturday 13 February, when an attacker managed to infiltrate the IT environment. On Monday, 15 February, the attack was detected by AUAS/UvA's Security Operations Center (SOC). They saw a password spraying attack and takeover of domain controllers, fitting the profile of a ransomware attack. The Executive Boards of both institutions were informed and the central crisis organisation activated. AUAS/UvA decided to 'fight back' and combat the attack actively and openly - without taking down all systems, as this would have had major consequences for the continuity of education at the institutions. Over the next few days, it became apparent that the attackers had, in all likelihood, obtained log-in data and encrypted passwords by downloading the Active Directory domain database. This data can be used to wage a new attack, or sold.