On 31 July, the National Payments Corporation of India (NPCI) issued a press release notifying that C-Edge Technologies Ltd, a technology service provider set up as a joint venture between Tata Consultancy Services Ltd and State Bank of India, was attacked using sophisticated ransomware. NPCI temporarily isolated C-Edge Technologies from accessing the retail payment systems operated by NPCI but restored connectivity the next day following a security review by an independent forensic auditing firm.
The investigation confirmed the isolation of the affected systems by C-Edge to contain the potential spread of the ransomware and the auditor also conducted additional security reviews and scans to certify that the rest of the infrastructure was clean.
The impact was limited to C-Edge systems hosted in their data centre and not on any cooperative or regional rural banks’ infrastructure. The attack primarily affected Brontoo Technology Solutions, a significant collaborator with C-Edge. Following the attack, Brontoo filed a report with the Indian Computer Emergency Response Team (CERT-In). The auditor’s threat research team identified that the attack chain began with a misconfigured Jenkins server, which attackers from the ransomware group RansomEXX exploited.
In today's interconnected digital landscape, ransomware has emerged as one of the most pressing cybersecurity threats facing organisations and individuals worldwide. Ransomware, which primarily centres around the extortion of financial resources by encrypting networks and then seeking a ransom from the targets to decrypt, is a major cyber threat facing governments, business houses, and individuals alike. What started as thrill seekers and individuals trying to make fast bucks, has transformed into a sophisticated form where criminal syndicates and terrorist groups seek hefty sums through cryptocurrency-based payments.
The emergence of Ransomware-as-a-Service (RaaS) gangs has become a force multiplier. In this year alone, more than 25 known cases of major ransomware attacks have been reported where ransom in billions have been demanded and many victims have negotiated and paid to avoid business and reputational loss. The transnational angle of these crimes and casual cooperation among law enforcement add to the complexity of trying to nab the gangs. Further, ransomware is used in espionage operations to obscure their tracks, make attribution harder, and create a powerful distraction for security agencies and network defenders. The scale and sophistication of ransomware attacks have grown dramatically in recent years, causing billions in damages and disrupting critical infrastructure.
In the current incident, the NPCI took the correct and prompt step of isolating the network by CEdge technologies, as well as ordering a special audit. This tactical step saved more infected systems and greater ransom demands. It also showed another good trait- the incident was promptly reported to CERT-In, which generally is not the case as organisations refrain from disclosing ransomware attacks. CERT-In acted fast to inform other networks of the attack vector. However as the special audit report showed, a vulnerability (CVE-2024-23897) allowed the attackers to gain secure shell access via port 22. The attack exploited this vulnerability in the misconfigured Jenkins server. So, patch management was missing somewhere. This particular hacking group is known for sophisticated exploitations and demanding high ransoms.
These incidents highlight the severity of the threat via ransomware. In May 2021, the Colonial Pipeline attack disrupted fuel supplies across the southeastern United States for days. The following month, meat processing giant JBS was hit, temporarily halting operations at plants in North America and Australia. More recently, in March 2024, several major US hospitals were forced to divert patients and revert to paper records after a ransomware attack on their IT systems. This year alone, at least seven major attacks have been reported globally. The LockBit group's attack on Royal Mail, the UK's national postal service, is a prime example. The attack paralysed international mail delivery, leaving millions of letters and parcels stuck in the company's system. The attackers demanded a ransom, and the incident highlighted the vulnerability of even the most seemingly secure organisations.
In India, ransomware attacks have been increasing in frequency and sophistication. Last year ransomware attacks were undertaken on Telangana and Andhra Pradesh’s power utility systems wherein the malicious virus took down all the servers. The Uttar Haryana Bijli Vitran Nigam, a power company in Haryana, was attacked by hackers who gained access to the company's computer systems and stole customers’ billing data. The attackers in return demanded a hefty ransom amount of Rs 1 crore in exchange for returning the stolen data.
The government and the industry have taken steps at multiple levels from a policy perspective. The National Cyber Security Strategy released in 2013 is the guiding doctrine for addressing all aspects of cyber security including ransomware, although a new and comprehensive strategy is being worked upon. CERT-In, under the Ministry of Electronics and Information Technology, plays the nodal role in responding to cybersecurity incidents. It regularly issues advisories and guidelines on ransomware prevention and mitigation. CERT-In has mandated stricter incident reporting requirements for organisations, including prompt reporting of ransomware attacks.
The Indian Cybercrime Coordination Centre (I4C) under the Ministry of Home Affairs handles various cybercrime issues, including ransomware attacks. Capacity-building efforts are being made to train law enforcement agencies and IT professionals in dealing with ransomware and other cyber threats. Various government agencies and private organisations conduct awareness programs to educate businesses and individuals about ransomware risks and prevention measures. India has been strengthening its cybersecurity laws, including provisions in the Information Technology Act 2000. Regulatory bodies in critical sectors like banking and telecommunications have issued guidelines to enhance cybersecurity measures against ransomware and other threats.
India, like many nations, faces ongoing challenges in combating the rapidly evolving threat of ransomware, despite significant steps taken. The country's large and increasingly digital economy makes it an attractive target for cybercriminals. To counter this, many organisations have implemented robust cybersecurity measures. However, it remains crucial to continuously invest in security infrastructure, conduct regular vulnerability assessments, and educate employees on best practices. Organisations must keep software up-to-date, implement regular security patch management strategies, and maintain data backups. Given the dynamic nature of cyber security, it's essential to approach it as a well-defined, ongoing practice.
However since many of these ransomware attacks are undertaken from various geographies and much away from the actual location of the incident, international cooperation is required. Global dialogues are ongoing but there is no defined agreement. On the sidelines of the UN General Assembly session in New York in September 2022, the four QUAD foreign ministers met and deliberated on the approach to tackling ransomware, taking forward the initiation of this discussion in their meeting earlier in February 2022 in Melbourne. The joint statement issued after this meeting touched on ransomware and other cyber threats but also the protection of critical information infrastructures and approaching them from a multi-stakeholder approach.
Clearly, QUAD cooperation on ransomware is pertinent and in line with the efforts so far to make cyber security and critical and emerging technologies an area of cooperation as both were being challenged in the Indo-Pacific region. At the global level, concerns around the digital ecosystem and its security and resilience resulted in more engagements at various levels—both diplomatically and among technical stakeholders like the CERTs. The UN-fostered Group of Governmental Experts (GGE) on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security in its report in April 2021 laid out the roadmap for promoting common understandings and effective implementation of cyber security measures with the laying of the ‘norms’.
Similarly, the US-led Counter Ransomware Initiative (CRI), consisting of 36 countries, addressed the full spectrum of the ransomware threat ecosystem during its October 2021 meeting. The group emphasised the need for enhanced cooperation on technical issues, law enforcement, resilience-building, diplomacy, and efforts to counter illicit financing, cryptocurrencies, and related payment systems. Now with 40 countries as members, it is going deeper into ways for collaboration to target the ransomware groups. The US and a few countries have imposed sanctions on cryptocurrency exchanges and individuals linked to ransomware groups.
As ransomware evolves, a coordinated global response involving governments, businesses, and individuals will be crucial to mitigate this persistent and costly threat. However, it is imperative to consistently adopt and adhere to best practices at both individual and institutional levels.
(Subimal Bhattacharjee is a Visiting Fellow at Ostrom Workshop, Indiana University Bloomington, USA, and a cybersecurity specialist. This is an opinion piece. The views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)
