It is only a drill, so the files are not really encrypted. Thanks to ‘moles’ in the participating organisations, software has actually been installed that counts the files on the hard drives. That way, the institutes can see which files could already have been infected at that stage in a real-life scenario.

Nearly all academic universities and over twenty universities of applied science took part in this SURFnet drill. SURFnet is the ICT foundation that maintains the national research and education network of the Netherlands . Academic hospitals and research institutes were also ‘attacked’.

A line in the sand

Two years ago, SURFnet organised a similar drill, with approximately 25 participants. It was highly instructive according to spokesperson Eric van der List. This time around, the participants contacted each other more quickly, so that they could pull together and draw a line in the sand: we are definitely not paying. The hacker’s demands started off small: five euros. Surely, solving the entire problem is worth paying five euros? The participants were firm in their resolve, however, and did not pay up.

It was a very hectic day nonetheless. The ICT practitioners had to move quickly to find out where the ‘malware’ was located and how they could protect their network and other files. According to Van der List, the ICT team of one university quickly figured out the nature of the infection and shared that information with their colleagues around the country.

Participants also really had to consider what information they wanted to share with the outside world, as the hacker threatened to publicise all kinds of sensitive information. In the drill scenario, the son of a celebrity had been rejected in a selection procedure. All kinds of negative comments about that son would be made public if the institutes did not pay up.


SURFnet started developing the scenario in October of last year. Each institute had its own ‘drill preparer’ who could focus the scenario on their own institute; none of the other participants knew what was going to happen precisely. It had to be lifelike.

Participants could take part on three different levels. Some institutions created fully equipped crisis rooms and had their executive board participate. Other institutions used the drill as a good exercise for their ICT services department and communications department.  There were also those that mainly observed the drill and only ran a limited version themselves. We will soon know what the organisations learned from the drill, as SURFnet and the participating institutions will meet on Tuesday to discuss it.