THE new sunday express MAGAZINE Voices Anand Neelakantan Ravi Shankar Devdutt Pattanaik Neha Sinha Anuja Chandramouli Mata Amritanandamayi Buffet People Wellness Books Food Art & Culture Entertainment February 16 2025 SUNDAY PAGES 12 Ransomware 59% of organisations worldwide were victims of a ransomware attack between January and February 2024 Hacked & Helpless 32% of ransomware attacks start with an unpatched vulnerability Ransomware is the new clear and present danger and India is in the bull´s eye of hackers. At risk of exposure is personal, military and health data of millions 75% of 1,400 organisations surveyed in 2023 suffered a ransomware attack How a ransomware attack unfolds File Scanning Ransom Demand The ransomware scans the infected system for files it can encrypt. Typically, it targets common file types such as documents, images, videos, and spreadsheets, leaving essential system files untouched to keep the system operational enough to display the ransom demand. Infiltration Threat actors deploy the ransomware to the target system using methods such as phishing emails, malicious links, software vulnerabilities, or compromised downloads. Once the ransomware reaches the target, it executes itself to gain a foothold in the system. This is akin to a package unpacking itself to spread its contents in a given environment. O Encryption Using advanced cryptographic techniques, the ransomware locks the identified files by converting them into a coded format. This ensures the data is inaccessible without the corresponding decryption key. The ransomware also generates a unique decryption key and stores it on the attacker’s server. By Gautam S Mengle n January 23, the dark web erupted with a fresh claim, as BASHE, a shadowy ransomware group with a reputation for striking highvalue targets, declared it had breached ICICI Bank. As one of India’s largest private sector banks, ICICI serves millions of customers both domestically and across the global NRI community—a vast repository of financial and personal data now allegedly at risk. BASHE boasted of accessing sensitive customer information: account details, transaction histories, and KYC documents, all of which are tools to fuel identity theft and financial fraud. The bank was put on notice: pay up by January 24 or the data goes public. The ICICI Bank has maintained a stoic silence, declining to confirm or deny the breach, even as the hackers pushed the deadline to January 31. No further information is available from ICICI at the time of going to print. Own a business? Or head a large corporation, hospital or military base. You are as safe as your firewall. One ransomware attack was estimated every 11 seconds in 2021, that caused about $20 billion in damages, according to cybersafety researchers. India was hit with its first major ransomware attack in 2017. The software was WannaCry, a ransomware program that affected around 150 countries; India is among the top five worst hit countries. Computer outages were reported in banks and organisations in Kerala, Kolkata, Gujarat and Andhra Pradesh. The Andhra Pradesh Police, the Gujarat State Wide Area Network and the West Bengal Electricity Distribution Company were also blackmailed by hackers. How does ransomware work? •The Threat Actor (hacker) accesses victim's server using phishing, malware etc. •Once the infiltration is successful, hackers search network for sensitive data. Once encryption is complete, the ransomware displays a ransom note on the victim’s screen. The ransom amount is usually demanded in cryptocurrency. The note may include threats, such as increasing the ransom if payment is delayed or permanently deleting the data if demands are not met within a specific timeframe. •The ransomware gang uses exfiltration–unauthorised transfer of sensitive data from a target system into a separate location. •Ransomware uploaded. •System data is encrypted and victim is denied access to the data. •The ransom demand is made and if met, the information could be returned via a decryption key No . payoff means the hacker will leak the information, or even destroy or sell it. Since no backups exist, the consequences are serious. There is no guarantee either of getting the data back. Once Threat Actors access a system, they inject malware like Ryuk or LockBit. This automatically encrypts all data on the server. Encryption transforms original data into an unreadable format (plain text converted into complex strings of characters) that can be reverted to its original state only with a unique decryption key Without it, the victim . loses access. Individuals could lose sensitive personal information, such as photos or financial records, forever. Ransomware attacks were the single largest cyber threat to Indians in 2024. And continue to be so. CloudSEK, a Bengaluru-based cybersecurity and research firm, places India as the second most affected country after America, and the fifth most hit by ransomware attacks after the USA, United Kingdom, Canada and Germany . Meanwhile, CyberPeace Foundation mapped a 55 per cent increase in ransomware attacks targeting India, from 63 incidents reported in 2023 to 98 in 2024. It further observed that the industrial sector was the most frequently targeted, accounting for 75 per cent of the total incidents. It is 12 per cent for the healthcare sector, finance is at 10 per cent and government at three per cent. Attacks are against both individuals and companies. Ransomware gang LockBit remains the most active ransomware family acting against India, accounting for 23.33 per cent of ransomware attacks so far, according Payment and aftermath If the victim pays the ransom, the threat actors provide the decryption key, which is used to unlock and restore the files. However, there’s no guarantee that the attackers will honour their promise. Even if the data is restored, victims may face lingering effects, such as stolen data being sold on the dark web, reputational damage, or additional malware remaining on the system. to ThreatLabz. Globally, LockBit accounted for 22 per cent of Indian ransomware incidents. BianLian is in second place, responsible for 16.67 per cent of attacks. BlackCat aka ALPHV was responsible for 11.67 per , cent of ransomware incidents in India and 9 per cent globally Its . programming allows it to target both Windows and Linux. UPPING THE ANTE: With law enforcement snapping at their heels, hackers are constantly upgrading their techniques. 2023 was a “watershed year” for ransomware, with over $1 billion forked out, according to Chainalysis, a blockchain data research firm. Ransom payments are typically made in 93.28% of detected ransomware files are Windows-based executables cryptocurrency mostly Bitcoin: from , $220 million in 2019 to $1.1 billion in 2023. The ransomware attack on AIIMS in 2023 was one of the largest in India and crippled the health giant. The hackers targeted its OPD system, which stores relevant patient and medical information. They captured the network and encrypted the data, blocking the hospital from accessing its own system. The worst hit were the patients. No new admissions, and no follow up OPD visits were possible, because medical histories were unavailable. Independent dark web researchers learned the attacker was the LockBit hacker group, who demanded a ransom of `200 crore. This attack, led to the formation of a new Standard Operating Procedure for Indian entities hit by ransomware. Says Koushik Pal, Threat Researcher with CloudSEK, a Bengaluru based cybersecurity solutions and research firm, “The AIIMS incident caused significant disruptions to critical services such as emergency care and access to medical history Such attacks can . potentially lead to large-scale loss of life.” Pal has a background in digital forensics and incident response. His expertise is “adversary engagement Turn to page 2