• India saw a 53 per cent increase in ransomware incidents in 2022 (year-over-year), Indian Computer Emergency Response Team (CERT-In) has said in its latest report.

• IT and Information Technology enabled Services (ITeS) was the majorly impacted sector followed by finance and manufacturing.

• Ransomware players targeted critical infrastructure organisations and disrupted critical services in order to pressurise and extract ransom payments, according to the ‘India Ransomware Report 2022’.

• Last year, a massive ransomware attack disrupted the systems at the All India Institute of Medical Science (AIIMS), crippling its centralised records and other hospital services.

• Much emphasis is required on ransomware prevention as the time, cost and efforts involved may become quite significant in responding and recovering from ransomware incidents. 

• It is crucial to develop cyber resiliency with well-prepared and tested disaster recovery and business continuity plans (BCP) to avoid major business operational disruption in ransomware crisis times. 

What is ransomware?

Ransomware is a category of malware that gains access to systems and makes them unusable to its legitimate users, either by encrypting different files on targeted systems or locking the system's screen unless a ransom is paid. Ransomware actors also threaten to sell or leak any exfiltrated data, if the ransom is not paid.

Although there are countless strains of ransomware, they mainly fall into two main categories.

i) Crypto Ransomware encrypts files on a computer so that they become unusable.

ii) Locker Ransomware blocks standard computer functions from being accessed.

How does ransomware work?

1) Access: Attackers gain access to your network. They establish control and plant malicious encryption software. They may also take copies of your data and threaten to leak it.

2) Activation: The malware is activated, locking devices and causing the data across the network to be encrypted, meaning you can no longer access it.

3) Ransom demand: Usually you will then receive an on-screen notification from the cyber criminal, explaining the ransom and how to make the payment to unlock your computer or regain access to your data. 

Payment is usually demanded via an anonymous web page and usually in a cryptocurrency.

Ransomware trends

• Ransomware gangs have broadened their attacks across critical sectors with increased frequency and complexity.

• Attackers are using already existing Living Off the Land Binaries (LOLBINS) and legitimate tools available in sources like Github during the infection phases.

• Ransomware As A Service (RAAS) ecosystem with financial motive is becoming prominent with double and triple extortion tactics to cause successful business disruption, thereby forcing the victim to pay ransom. 

• Not only money, but geopolitical conflicts also influenced ransomware attacks. This trend may continue further when ransomware broadens its spectrum beyond financial aspects and becomes an arsenal for cyber warfares.

• With phishing being the major pivot point for network initial access, attackers are continuing to exploit known vulnerabilities of public exposed applications and also focusing on acquiring valid credentials/session cookies of remote access services mainly through infostealer logs available in the dark web and underground forums.

• Variant wise, Lockbit was a majorly seen variant in the Indian context followed by Makop and DJVU/Stop ransomware. Many new variants were observed in 2022 such as Vice society, BlueSky, etc.

• At the large enterprise level, Lockbit, Hive and ALPHV/BlackCat, Black Basta variants became major threats, whereas Conti, which was very active in the year 2021, became extinct in the first half of the year 2022.

• Makop and Phobos ransomware families mainly targeted medium and small organisations. At individual level, Djvu/Stop variants continued dominance in attacks over the past few years.

Ransomware restoration & recovery time

• Ransomware restoration & recovery time is dependent upon multiple factors like level of infection, affected applications, availability of backups and images, and business continuity preparedness.

• Time, efforts and cost involved are very much significant even with the availability of safe backups. It is essential to have a business continuity plan (BCP) to avoid major operational disruption. 

• When ransomware strikes, many organisations are clueless about scope of infection/blast radius. Lack of an updated IT inventory list, improper network segmentation and visibility gaps are the main reasons for ascertaining the level at which the infection has spread across the organisation, leading to enormous efforts in sanitisation of each and every system in the affected network. 

• Also, rebuilding the applications may take considerable time, if golden images/backups are unavailable or inaccessible. 

• On an average, the restoration time is about 10 days for infections in reasonably large infrastructure networks. For smaller network/ infrastructure, the restoration time is around three days and for individual systems it is one day.

What is CERT-In?

• The Indian Computer Emergency Response Team  (CERT-In) is the national technology arm to combat cyber attacks and guard the Indian cyber space.

• It is a statutory organisation under the ministry of electronics and information technology. 

• CERT-In has been operational since January 2004.

• CERT-In has been designated under Section 70B of the Information Technology Act, 2000 to serve as the national agency to perform the following functions in the area of cyber security:

i) Collection, analysis and dissemination of information on cyber security incidents.

ii) Forecast and alerts of cyber security incidents.

iii) Emergency measures for handling cyber security incidents.

iv) Coordination of cyber security incident response activities.

v) Issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.

vi) Such other functions relating to cyber security as may be prescribed.

• CERT-In creates awareness on security issues through dissemination of information on its website (https://www.cert-in.org.in) and operates a 24x7 incidence response help desk. 

• CERT-In provides incident prevention and response services as well as security quality management services.

Manorama Yearbook app is now available on Google Play Store and iOS App Store