Dutch university’s rapid response saved it from ransomware devastation

Earlier this year, Eindhoven University of Technology (TU/e), one of the Netherlands’ leading technical universities, demonstrated the uncomfortable truth that even organisations that tick all the cyber security boxes can fall victim to sophisticated attacks, when attackers gained enterprise-level access to its network and began preparing what forensic investigators later concluded would have been a devastating ransomware attack. 

The university’s response was dramatic: it disconnected all 14,000 students and 4,700 staff from the internet for an entire week. That decision, taken within hours of detecting the breach, prevented what could have been months of crippled operations and millions in ransom demands. 

The incident began on 6 January, when attackers used legitimate credentials found on the dark web to access TU/e’s virtual private network (VPN) system. Five days later, they launched an assault, and within hours, they gained the highest administrative privileges on the domain controllers – effectively having complete control over the network – and started installing persistence tools typical of ransomware preparation. This triggered the security monitoring.  

The paradox facing Martin de Vries, TU/e’s chief information security officer (CISO), illustrates an uncomfortable truth about modern cyber security: perfect prevention remains elusive, even for well-prepared organisations. However, when the crisis call came that Saturday evening, his team’s rapid response would prove the difference between a week of disruption and potential devastation. 

The situation De Vries encountered was a cyber security nightmare: attackers with enterprise privileges fighting his team for network control.

“It was a cat-and-mouse game,” he recalls. “Every time we disabled an account or tried to segment servers, we saw them on another server. Because they had those privileges, they were also taking away our access rights while we were taking theirs.”

With conventional containment measures failing, the decision was made to sever the university’s connection entirely, taking TU/e’s 14,000 students and 4,700 staff offline for what turned out to be a week. However, forensic analysis by Fox-IT later confirmed this decision prevented a devastating ransomware attack.

Implementation gaps

TU/e’s experience exposes the gap between security awareness and flawless execution that haunts even the most diligent organisations. At the end of 2024, the university identified compromised credentials belonging to several user accounts, flagging them as “risky users” through its monitoring tools. “We knew these accounts were leaked,” admits De Vries. “We identified them at the end of last year and sent users instructions on changing their passwords. But a configuration error allowed them to re-enter the same password.” 

This single oversight undermined what should have been a successful remediation process.  

Similarly, multi-factor authentication for the university’s VPN was already planned and budgeted for. “It was on the schedule to be implemented by summer,” he says. “It would have been deployed around this time.”

Instead, attackers exploited its absence to gain initial access using the dark web credentials. 

The response showcased the Netherlands’ collaborative approach to higher education cyber security. TU/e benefits from SurfSoc, a security monitoring service delivered by Fox-IT and managed by Surf, the collaborative organisation providing IT services to Dutch universities and research institutions. Surf detected the malicious activity at 9:55 pm and alerted TU/e by 10:48 pm, even as the university’s security team responded to internal alerts. This redundant detection system accelerated the response timeline.

“We were already aware of potential malicious activity when Fox-IT, operating Surfsoc, contacted us,” says De Vries.

When TU/e called Fox-IT’s emergency response line at 11:50 pm, Fox-IT supported TU/e’s decision to disconnect the network immediately. The network went offline at 1:17 am on the Sunday, cutting off attackers who had been installing remote administration tools, creating privileged accounts and attempting to disable backup systems – all hallmarks of ransomware preparation.

Disruption versus damage

The decision to take 20,000 users offline for a week was not made lightly, but the alternative would have been far worse. Fox-IT’s forensic investigation concluded that “the adversary exhibited many characteristics typical of a ransomware attack”, with rapid escalation to domain administrator privileges and attempts to disable backup systems following established ransomware playbooks. 

“The biggest impact for the university was on students and staff,” says De Vries. “We had to postpone exams; academics had to mark papers over extended periods. That impact can’t be expressed in euros”. Yet the financial calculation was stark. The direct costs of the response remained manageable – “not comparable to what we spend annually on security”, according to De Vries. Had ransomware been successfully deployed, however, “it probably would have been in the millions”.

The human cost, while significant, was temporary. Exam schedules were rearranged, research activities paused, and normal operations disrupted, but the university’s core functions remained intact. A successful ransomware attack could have crippled operations for months while demanding substantial ransom payments with no guarantee of data recovery. 

TU/e’s ability to respond decisively stemmed from regular crisis preparation. The university participates in Surf’s sector-wide Ozon cyber crisis exercise every two years alongside annual internal drills, ensuring crisis teams know their roles before disaster strikes. “Everyone in the crisis organisation knew their role,” says De Vries. “You don’t want to be looking at each other asking, ‘How did this work again?’ when the real crisis hits.”

The crisis management structure activated smoothly, with clear communication protocols and defined responsibilities. This organisational readiness enabled the rapid decision-making that contained the attack. 

This preparation extended beyond TU/e’s walls. The university’s decision to publish detailed forensic reports reflects the Dutch higher education sector’s collaborative approach to cyber security, starkly contrasting corporate secrecy around breaches. The precedent was set by Maastricht University, which suffered a major ransomware attack in 2019 and shared its experiences openly to help other institutions. “We are universities – we’re about gaining and sharing knowledge,” says De Vries. “There’s a culture in the education sector of sharing these experiences so others can learn from them.”

The collaboration is systematic: university CISOs meet monthly through Surf to share intelligence and best practices. “There’s no university that doesn’t have this on their radar,” he notes.

Persistent risks 

Complex research environments create persistent vulnerabilities. TU/e supports research groups using Windows 7 equipment, necessitating older authentication protocols that attackers can exploit.

“We have an IT landscape that must support both old and new systems because research groups have equipment that still works perfectly for their research but uses older operating systems,” says De Vries.

Since resuming operations, TU/e has conducted individual security assessments before reconnecting research systems to the internet. 

Despite the successful response, he remains realistic about future threats. “It’s not a question of if, but when,” says De Vries. “You have to prepare as an organisation for it to happen, no matter how good your security is.”

His advice to fellow security leaders is practical: regularly drill crisis response teams and ensure detection systems work around the clock. “You need good detection so you’re properly informed when things go wrong, and a crisis organisation that can act immediately,” says De Vries.

TU/e’s experience proves that even well-prepared organisations remain vulnerable. But rapid detection, decisive leadership and accepting short-term disruption can prevent far greater long-term damage. When perfect security remains impossible, response quality determines impact.