Defenceless in the face of cyber attacks
New Delhi: Even as the country’s top cybercrime units grappled with the ransomware attack on AIIMS servers and systems, sources in the security establishment said chances of fully recovering from the damage caused by the malware were bleak and “starting afresh” seemed to be the way out.
The best of minds from the CERT-IN (Indian Computer Emergency Response Team), C-DAC (Centre for Development of Advanced Computing) and NIC (National Informatics Centre), apart from two intelligence agencies, were trying to restore the system, but a breakthrough was yet to be achieved for the fifth day as AIIMS services continued to be on manual mode.
According to the sequence of events established till now, the primary and first backup servers of AIIMS were found corrupted around 7am on Wednesday. The first disruption was reported from the emergency lab when operators were unable to view reports in the systems. The billing section and OPD counters soon reported the same error.
“The priority was identifying and isolating the infection. Poor firewalls, no back-up and age-old systems were contributing factors. Correctly identifying the infection was crucial because there are several different strains of every ransomware and each requires a different response,” said a source.
The agencies then tried to “retrieve the lost data” through advance recovery tools, but couldn’t decrypt the files. During a ransomware attack, the actual files are generally deleted by the malware and replaced by an encrypted replica.
When asked if a ransomware code-named Life, a new variant of the notorious ransomware WannaRen, was found on the infected server, officials said it was too early to come at a conclusion. Cops are probing the case as that of cyber-terrorism and extortion. A big worry for investigators is a possible data leak as the hackers generally start leaking information online if their demands are not met in time. The ransom also increases as the victims try to salvage the situation.
Globally, ransomware attacks have been wreaking havoc, especially since they are available as RAAS (ransomware-as-a-service) on the dark web where they can be bought and (mis)used like an app without having the required knowledge.
In early November, ransomware group with suspected links to the notorious Russian ransomware gang, REvil, had threatened to release the personal information of millions of customers of Australian health insurance service provider, Medibank, if the ransom demand was not met. As the company refused to pay, the gang started publishing the stolen records, including customers’ names, birth dates, passport numbers and information on medical claims.
A semiconductor chip manufacturing giant was hit by a ransomware attack in February this year and the attackers had begun leaking employee credentials online.
The Costa Rica government had recently declared a national emergency in response to a ransomware attack on the nation, which began in early April and brought the ministry of finance to its knees, impacting not just government services, but also the private sector engaged in import and export.
As per experts, the ransomware targeting hospitals appeared to be spreading primarily via emails – often falsely claiming to contain information or advice from a government agency, which encouraged the recipient to click on an infected link or attachment.
In 2020, Interpol had issued a warning to organisations at the forefront of the global response to the Covid-19 outbreak that had also become targets of ransomware attacks, which were designed to lock them out of their critical systems to extort payments.
It found that cybercriminals were using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom was paid. Interpol had even issued a “Purple Notice”, alerting police in all its 194 member countries to the heightened ransomware threat.