A ransomware attack on the Netherlands Organisation for Scientific Research on February 8 has left the country’s largest scientific research funding agency unable to review and receive grant applications or communicate with applicants and grantees. According to a statement, NWO has refused to pay the ransom demanded by the DoppelPaymer hacker group “on fundamental grounds,” opting instead to rebuild its network, a process that could take weeks, Times Higher Education reports.
With its ransom demands unmet, the hacker group leaked NWO documents, including personal information about staff members, to the dark web on February 24, according to Times Higher Education. “Although NWO highly regrets the unfortunate situation of sensitive personnel documents being spread unauthorised, NWO will not alter its position,” the statement notes. As a public institute, the NWO cannot pay ransom to attackers, the Times Higher Education reports.
The security breach is the latest in a series of cyberattacks on research and funding institutes. In the last month, there have been similar attacks on the University of Amsterdam, the Amsterdam University of Applied Sciences, and the UK Research and Innovation funding agency, Science reports. In 2019, Maastricht University in the Netherlands paid the bitcoin equivalent of €200,000 (US $237,000) to hackers.
According to the NWO, decisions for the current grant funding round have been severely delayed by the attack. For some grantees, such as Marleen Weulen Kranenbarg, an assistant professor in criminology at Vrije Universiteit Amsterdam, the cessation of the agency’s activities also means interruption to research, Times Higher Education reports.
Nevertheless, Weulen Kranenbarg, who studies cybercrime and keeping “hackers on the good side,” supports the funding body’s decision not to accommodate the ransom demand. “Paying criminal hackers will do the opposite: it shows that using hacking skills for criminal purposes pays off,” she tells Times Higher Education. “I am proud that the NWO has the courage to clearly state that it will not pay the hackers.”