A recent ransomware attack [1] [2] [3] [4] [5] [6] [7], attributed to the RansomEXX group using their sophisticated malware variant [4], RansomEXX v2.0 [2] [4] [5] [6] [7], has targeted India’s banking sector [4], impacting nearly 300 small banks and payment providers.
Description
The attack began with a misconfigured Jenkins server at Brontoo Technology Solutions [1] [3] [4], a collaborator with C-Edge Technologies Ltd. [1], a joint venture between Tata Consultancy Services Ltd. [1] [5] and the State Bank of India [1] [5], allowing the attackers to exploit a vulnerability for secure shell access (CVE-2024-23897) [7]. This has led to disruptions in banking services such as cash withdrawals and UPI transactions [2]. The National Payments Corporation of India has temporarily shut down payment operations of the affected banks to prevent further impact on the payment ecosystem [2]. Negotiations with the ransomware group are ongoing [4] [5], with high ransom demands expected [4]. RansomEXX v2.0 employs advanced encryption techniques [7], exfiltrates data for double extortion [7], and targets critical files and backups [7]. The group uses diverse tactics [7], including phishing emails and exploiting vulnerabilities in remote desktop protocols [7], to gain initial access and move laterally within a network [7]. Victims receive detailed ransom notes with instructions for payment in Bitcoin or other cryptocurrencies [7]. The RansomEXX group has a history of targeting high-value organizations and has been active in Europe [3], Asia [3], and America [3], making it a significant threat to organizations [3]. The attack highlights vulnerabilities in current systems and suggests all critical vendors ensure their Jenkins servers are up-to-date [5].
Conclusion
The ransomware attack on India’s banking sector has had significant impacts on banking services and payment operations. Mitigations such as shutting down payment operations and ongoing negotiations with the ransomware group are in place. This attack underscores the importance of cybersecurity measures and the need for organizations to stay vigilant against evolving threats.
References
[1] https://www.ndtvprofit.com/technology/ransomexx-attack-on-indian-banking-infrastructure-cloudsek-analysis
[2] https://www.csoonline.com/article/3480250/over-300-indian-banks-suffer-payment-disruption-from-ransomware-attack.html
[3] https://www.cloudsek.com/blog/major-payment-disruption-ransomware-strikes-indian-banking-infrastructure
[4] https://www.infosecurity-magazine.com/news/ransomexx-targets-indian-banking/
[5] https://www.ndtvprofit.com/business/ransomexx-group-behind-ransomware-attack-on-c-edge-technologies-says-cloudsek
[6] https://economictimes.indiatimes.com/industry/banking/finance/banking/ransomexx-ransomware-strikes-indian-banks-cloudsek/articleshow/112194278.cms
[7] https://www.firstpost.com/tech/cybersecurity-experts-reveal-what-exactly-happened-in-the-ransomware-attacks-that-took-down-300-banks-13799726.html