Arumugam2
Uploaded by
24 SLIDES
2 VUES
0LIKES

CCW202408003 - Project

DESCRIPTION

CCWEEERRERERER

1 / 24

Télécharger la présentation

CCW202408003 - Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Warrior Batch-08 Implications of Ransomware and few case studies with possible prevention techniques (best practices) Name: ARUMUGAM M Roll No: CCW202408003

  2. Table of Contents Scope……………………………………………………………………………………………..3 Objective: ....................................................................................................................................... 3 1. Background: ...................................................................................................................... 3 2. Literature Review ............................................................................................................. 4 3. Ransomware Study – Analysis ......................................................................................... 6 3.1 Introductions: .................................................................................................................... 6 3.2 How does ransomware work? ........................................................................................ 11 3.3 How Ransomware Syndicates Work ............................................................................. 14 3.4 How to Combat Ransomware: -..................................................................................... 16 3.5 Why Starting Over Using Backups is the Best Approach ........................................... 18 3.6 How Object Lock Protects Backups .............................................................................. 18 3.7 Why Not Just Use System Restore? ............................................................................... 19 3.8 Case Study ....................................................................................................................... 20 3.8.1 All India Institute of Medical Sciences, New Delhi [AIIMS] : ....................................... 20 3.8.2 Ransomware attack on C-EDGE Technologies ............................................................... 22 3.9 Conclusion: ...................................................................................................................... 23 3.10 Bibliography .................................................................................................................... 24 CCW202408003 Page 2 of 24

  3. Scope: Recent days, Ransomware attack become a serious threat to all landscape of business size from small start-ups to enterprises. The Cybercriminals finds all the possible ways to exploit weaknesses, post access on business network cybercriminals will demand ransom in Cryptocurrency. In this review we will examines recent ransomware attacks to understand some of the key points about targeted Industry, How Cyber Criminals operates as Syndicate on offering the Ransomware as Services, how ransomware attacks are evolving, including new types and tactics like double extortion, Best practises to mitigate and avoid the cyber- attacks. Objective: Considering the major digital threat on Ransomware, this review covers the basics of ransomware and its types, attack methods which called as vectors, how the ransomware has evolved as more sophisticatedover the period since from 1980s. This review also provides insights into the ransomware life cycle and suggests that adopting a zero-trust policy and other best practices can help mitigate zero-day attacks. 1.Background: In recent years, Ransomware attacks have become one of the most pressing cybersecurity threats which are affecting organizations across various industries, from small businesses to large enterprises. These attacks are not only just about the potential financial loss associated with paying a ransom but also create the significant risks to data security, operational disruption, and reputational damage. Different industries are being targeted by Cybercriminals, but some sectors are hit harder than others. Government Agencies, Healthcare Providers, Financial Institutions and Some of the critical infrastructure are often targeted for Cybercriminals, because they handle sensitive data and here the downtime makes severe consequences. It is important for organizations to understand, how ransomware works, the tactics which are used by cybercriminals, and the best practices for mitigating risk by considering increasing attack frequency and severity in the ransomware attacks. This paper prepared with aim to provide an overview of ransomware, including its evolution, types, attack methods, and the CCW202408003 Page 3 of 24

  4. syndicate nature of modern ransomware operations. By understanding these aspects, organizations can better prepare for and protect/defend against this ransomware threat. This paper covered a recent example is 2022 ransomware attack at All India Institute of Medical Sciences in New Delhi, which caused significant disruptions and highlighted the severe impact of such attacks on essential services. 2.Literature Review This paper reviews several studies on ransomware incidents, including Berry's exploration of the connection between cryptocurrency and cyber-attacks, and Caroscio et al.'s analysis of a ransomware attack on the D.C. Metropolitan Police Department. Din discusses various companies affected by ransomware in 2021, while Kiesel et al. examine a multi-vector ransomware attack on the Accellion File Transfer Appliance Server. Robb provides insights into the state of ransomware in 2023, and Toulas details an attack claimed by Royal ransomware on the Queensland University of Technology. Finally, Vehabovic et al. focus on ransomware detection and classification strategies. 2.1 The Evolution of Cryptocurrency and Cyber-attacks by Berry Berry looks at how the rise of cryptocurrency is linked to more ransomware attacks. He describes two main types of ransomware: screen-lockers (which block your computer unless you pay) and encryptors (which lock your data until you pay). He notes that ransomware existed even before cryptocurrency and doesn’t need it to work. 2.2 Analyzing the Ransomware Attack on D.C. Metropolitan Police Department by Babuk by Caroscio et al. Caroscio et al. study a ransomware attack by the Babuk group on the D.C. Metropolitan Police Department. They explain that ransomware can cause big financial and data-related damage. The attack had several steps: gaining access, keeping access, encrypting data, and demanding a ransom. They suggest ways to prevent such attacks, like regular security checks and better public awareness. CCW202408003 Page 4 of 24

  5. 2.3 Some of The Companies Affected by Ransomware in 2021 by Din Din talks about how ransomware attacks are becoming more common, often exploiting security weaknesses. She mentions that over 200,000 new ransomware versions appear every day, causing major harm. Many companies pay the ransom quietly to avoid bad publicity. She lists companies hit by ransomware in 2022 and 2023, with details of the attacks. 2.4 Analyzing Multi-Vector Ransomware Attack on Accellion File Transfer Appliance Server by Kiesel et al. Kiesel et alanalyze an attack on the Accellion File Transfer Appliance (FTA) server. The attackers threatened to release stolen data if they weren’t paid. The study discusses how Accellion and its clients responded, noting that the effects of the attack could last for years. They found that poor communication about security updates made the situation worse. 2.5 The State of Ransomware in 2023 by Robb Robb lists ransomware incidents from 2023. In January, there were 33 attacks, mostly in education. In February, there were 40, with governments being the main target. He provides detailed information about each attack, the affected organizations, and the types of ransomware used. 2.6 Royal Ransomware Claims Attack on Queensland University of Technology by Toulas Toulas describes how ransomware works by taking over systems, blocking access to files, and demanding a ransom. He explains how these attacks are easy to carry out because of cheap technology, digital currency, and easy access to the internet. He identifies poor cyber education and weak security as reasons for successful attacks and suggests ways to lessen their impact. 2.7 Ransomware Detection and Classification Strategies by Vehabovic et al. Vehabovic et al. study how to detect and classify ransomware, which causes harm by locking data. They discuss methods like network-based and host-based detection, forensic analysis, and tracking the origins of ransomware. They also review tools that can help identify ransomware. CCW202408003 Page 5 of 24

  6. 3.Ransomware Study – Analysis 3.1 Introductions: 1.What is Ransomware Ransomware is a malicious software which created with the intensions to demand/collect money from its victims. Once the Ransomware infects victim’s device, it encrypts critical data or it blocks the access to the victim’s device, on post incident attackers will demand ransom payment. 2.Ransomware Evaluation: The image shows a timeline of major ransomware attacks over the year from 1989 to 2023. It showcases important milestones, such as the shift from symmetric encryption methods to cryptocurrency payments and the growing sophistication of ransomware tactics. Some of the notable ransomware families like Ryuk, Conti, LockBit, and REvil are captured along with the years of their notable attacks. The below image showcases the different categorizes of these attacks by target types, including government entities and critical infrastructure. Overall, the below image offers a visual overview of how ransomware attacks have evolved and become more complex over the years. CCW202408003 Page 6 of 24

  7. Figure 1. Evaluation of Ransomware from reference The analysis by “Comparitech” over the past six years has provided insights into ransomware variants and the industries they have affected. Fig 2 : Top Ransomware Strains attack from 2018 to 2024 in Various Industry in worldwide The table presents a detailed overview of ransomware attacks in India from 2018 to 2024, highlighting various industries affected across different cities. The data shows a significant increase in attacks, with notable incidents involving well-known companies and government institutions. Table shows Ransomware Attack – India from 2018 to 2024 Sub- Ransomware Strain Year Date Feb, 2024 Mar, 2024 Feb, 2024 Apr, 2024 May, 2024 Apr, 2024 Company Name Industry Industry City 2024 Motilal Oswal Business Finance Mumbai LockBit 2024 Polycab Business Retail Mumbai LockBit 2024 BSR Infratech India Ltd. Business Construction Bengaluru Unknown 2024 Delhi Police Government Government Delhi KillSec 2024 V-Star Creations Private Limited Business Retail Kerala LockBit Thiruvanant hapuram 2024 Regional Cancer Center (RCC) Healthcare Healthcare Unknown C-Edge Technologies Limited (Brontoo Technology Solutions India Private Limited) Jul, 2024 2024 Business Finance Thane RansomEXX CCW202408003 Page 7 of 24

  8. Aug, 2024 Apr, 2023 2024 Sobha Limited Business Construction Bengaluru RansomHub 2023 Fullerton India Business Finance Mumbai LockBit Jan, 2023 Controller of Communication Accounts (CCA) 2023 Government Government Vijayawada Unknown Jan, 2023 Feb, 2023 Feb, 2023 ALPHV/Black Cat 2023 Solar Industries Limited India Business Manufacturing Nagpur 2023 SRF Limited Business Manufacturing Vadadla LockBit ALPHV/Black Cat 2023 Sun Pharmaceutical Industries Ltd. Business Healthcare Mumbai Mar, 2023 Gujarat Mineral Development Corporation 2023 Government Government Ahmedabad Medusa May, 2023 Apr, 2023 2023 KD Hospital Healthcare Healthcare Ahmedabad Unknown Insurance Information Bureau of India 2023 Government Government Telangana Unknown May, 2023 Madhya Pradesh Power Management Company Limited Madhya Pradesh 2023 Business Utilities Unknown May, 2023 Apr, 2023 Jun, 2023 Aug, 2023 Aug, 2023 Sep, 2023 Dec, 2023 Dec, 2023 2023 Granules India Limited Business Healthcare Hyderabad LockBit Uttar Pradesh State Road Transport Corporation Tech Mahindra (affecting Perpetual) Uttar Pradesh ALPHV/Black Cat 2023 Government Government 2023 Business Technology Pune Akira 2023 Kansai Nerolac Ltd. Business Manufacturing Mumbai Unknown 2023 Kansai Nerolac Paints Ltd Business Retail Mumbai LockBit 2023 Tamil Nadu Police Government Government Tamil Nadu Unknown 2023 HCLTech Business Technology Noida Unknown 2023 Western Railway Government Government Mumbai Unknown Madhya Pradesh Urban Development and Housing Department Dec, 2023 Madhya Pradesh 2023 Government Government Unknown Nov, 2023 Sep, 2022 Apr, 2022 May, 2022 Jun, 2022 2023 National Aerospace Laboratories Business Service Bengaluru LockBit 2022 Can Fin Homes Ltd Business Finance Bengaluru Unknown 2022 Oil India Limited Government Government Duliajan Unknown 2022 SpiceJet Business Transportation Gurugram Unknown 2022 Goa Water Resource Department Government Government Goa Unknown CCW202408003 Page 8 of 24

  9. National Institute of Mental Health and Neurological Sciences (NIMHANS) Mar, 2022 2022 Healthcare Healthcare Bengaluru Unknown Oct, 2022 Nov, 2022 2022 Tata Power Business Utilities Mumbai Hive 2022 AirAsia Group Business Transportation Karnataka Daixin Team Nov, 2022 All India Institute of Medical Sciences (AIIMS) 2022 Healthcare Healthcare Delhi ChamelGang Sep, 2022 Sep, 2022 Dec, 2022 Aug, 2021 Feb, 2021 May, 2021 2022 IPCA Laboratories Business Healthcare Mumbai RansomHouse 2022 Aarti Drugs Ltd. Business Healthcare Mumbai BianLian 2022 School (Unnamed) Education Education Guntur Unknown 2021 Pine Labs Business Technology Noida BlackMatter Uttar Pradesh 2021 Ansal Housing Business Service Unknown 2021 Finolex Cables Ltd. Business Manufacturing Pune Conti Jawaharlal Institute of Postgraduate Medical Education and Research (JIPMER) Sep, 2021 2021 Education Education Pondicherry Unknown Mar, 2021 Maharashtra Industrial Development Corporation (MIDC) 2021 Government Government Mumbai SYNack Apr, 2021 May, 2021 Sep, 2021 Mar, 2021 Dec, 2021 Nov, 2021 Oct, 2021 2021 Navnit Group Business Manufacturing Thane Xing Team 2021 Nucleus Software Exports Business Technology Noida EpsilonRed 2021 Tamil Nadu Public Department Government Government Tamil Nadu Unknown 2021 Tata Steel Group Business Manufacturing Mumbai REvil 2021 Subex (Sectrio) Business Technology Bengaluru Unknown 2021 Private Hospital (unnamed) Healthcare Healthcare Mysuru Unknown 2021 Acer (India) Business Manufacturing Bangalore Desorden Tech Mahindra (affecting Pimpri- Chinchwad Municipal Corporation Smart City) Feb, 2021 2021 Business Technology Pune Unknown Apr, 2020 Jun, 2020 Aug, 2020 2020 Aban Offshore Business Service Chennai Nefilim 2020 Indiabulls Group Business Finance Haryana Clop 2020 Apollo Tyres Ltd Business Manufacturing Gurugram NetWalker CCW202408003 Page 9 of 24

  10. Dec, 2020 Oct, 2020 Oct, 2020 Oct, 2020 Jul, 2020 Feb, 2020 Jul, 2020 Oct, 2020 Sep, 2020 Aug, 2020 Jun, 2020 Oct, 2020 Jan, 2018 Jul, 2018 Jul, 2018 2020 Nav Jeevan Co-operative Bank Business Finance Ulhasnagar Egregor 2020 Biological E Ltd. Business Healthcare Hyderabad Ragnar Locker 2020 Dr Reddy’s Laboratories Business Healthcare Hyderabad Unknown 2020 Eros Group Business Service Delhi Egregor Food and Beverage 2020 Haldiram Business Nagpur Unknown 2020 IIT Madras Education Education Chennai Unknown 2020 Indoco Remedies Ltd Business Healthcare Mumbai Nefilim 2020 JSW Steel Business Manufacturing Mumbai SunCrypt 2020 Khadim India Ltd Business Retail Kolkata Netwalker Food and Beverage 2020 Mithaas Sweets Business Noida Unknown National Highways Authority of India 2020 Government Government Delhi Maze 2020 Press Trust of India (PTI) Business Other New Delhi LockBit Pulkit Khandelwal Accounting Firm 2018 Business Finance Jaipur Unknown 2018 Hotel Three Star Business Other Kharghar Unknown Mahatma Gandhi Mission (MGM) Hospital 2018 Healthcare Healthcare Mumbai Unknown Mar, 2018 Uttar Haryana Bijli Vitran Nigam Limited (UHBVNL) 2018 Government Government Panchkula Unknown 3.Ransomware Types: Ransomware affects all the industries specifically on target government entities/ organization, healthcare, transport system which includes aviation industries, in recent years, by adopting into ransomware as service (raas), the attackers shift their paradigm into sophisticated and widespread making it challenging. Within its landscape, ransomware can be categorized into three primary types namely: screen-locking ransomware, data file-encrypting ransomware, and double-extortion ransomware I. Screen-locking ransomware: Screen-locking ransomware demands ransom payment by blocks access on victim’s computer by locking the screen and not allowing to use. This type of ransomware will not encrypt the victims file. Even after restarting the computer, the system remains locked until the ransom is paid CCW202408003 Page 10 of 24

  11. II. Double Extortion: Cybercriminals encrypts victim data and also steal the sensitive information from the victim after starts threating to victims to leak this sensitive data publicly unless the ransom demand fulfils. This puts victims in a difficult position, as they face the potential loss of reputation and financial damage from a data breach even if they have backups. Triple Extortion: This is the most severe form of ransomware attack. Here not only misuse of victim’s data, it involves additional threat on targeting malicious activities against the victim’s customer/client’s sensitive data. It increases the probability on ransom payment by considering the victim organisation reputations and its customers good will. File-encrypting ransomware:Using Cryptographic Algorithm, this ransomware will III. encrypt Victim’s data and files and demands payment for decryption keys. This type of ransomware normally integrates asymmetric cryptography for encryption operations and creates a key pair consisting of public and private keys distinctive for the victim and the threat actor 3.2 How does ransomware work? On various methods, such as sending malicious email attachments, spam links, or using sophisticated social engineering tactics, attackers used to send malicious code or malware, to infects a victim’s computer/device on network. By gathering the access information, and carry out their attack. the attackers use various tactics, techniques, and procedures (TTPs) on compromise the victim’s infrastructure. Here’s a general overview of how the attack usually take place: 1.Initial Compromise: The ransomware gains access to a system or environment through different methods like exploiting software vulnerabilities, sending phishing emails, using physical media like USB drives, or conducting brute-force attacks. Once it has spread through an endpoint or network device, it installs itself and allows the attacker to gain remote control. 2.Secure Key Exchange: After installation, the ransomware connects to the attacker’s central command and control server. This connection initiates the creation of cryptographic keys needed to lock the system. CCW202408003 Page 11 of 24

  12. 3.Encryption: The ransomware then starts encrypting files on the infected device and across the network. This encryption makes the files inaccessible without the decryption keys. 4.Extortion: Once files are encrypted, the ransomware presents a ransom note with outline information about how much ransom is required, provides payment instructions, and highlights the consequences if the ransom is not paid. 5.Recovery Options: At this point, there will be two chances either to to pay the ransom or to remove the malware and restore their files from a clean backup or choose to pay the ransom 3.2.1Initial compromise TTPs: Human attack vectors Human Error is the one of the biggest weaknesses in security systems, through social engineering cybercriminals exploit this weakness. Social engineering which misguides people on revealing their confidential or personal information for fraudulent purposes. Common human attack vectors include: 1.Phishing: Scammers use this tactic by sending emails that look real to tempt the people on clicking on harmful links or opening dangerous attachments. Some phishing attempts target many people, rather than focus on specific individuals, which is called "spear phishing." Spear phishing uses research to make the email seem very believable, often using names or topics that are familiar to the person. Advanced methods, like using AI models such as ChatGPT, can make these attacks even more convincing and effective. 2.SMSishing: This method uses text messages to deceive recipients into visiting malicious websites or entering personal information. SMSishing often involves fake messages that appear to come from trusted sources like financial institutions or service providers. Some variants of SMSishing also spread by themselves on sending malicious messages to everyone in the victim’s contact list. 3.Vishing: Similar to phishing and SMSishing, vishing targets the victim by using voice messages. On utilizing the recent advancements in AI made vishing as more sophisticated, including deepfake technology that can mimic the voices of high- ranking company officials to misguide the public or shareholders, which leads to significant financial losses. CCW202408003 Page 12 of 24

  13. 4.Social Media: Social media platforms can be used as major source on targeting the victims into downloading malicious content, such as images, videos, or other files. These files will infect the user’s system once opened, which leads to a ransomware attack. 5.Instant Messaging: IM services like WhatsApp, Facebook Messenger, Telegram, and Snapchat, which collectively have over four billion users, are also targeted for ransomware attacks. Messages that appear to come from trusted contacts can contain harmful links or attachments that infect the recipient’s device and may spread to their contacts as well. Overall, ransomware attacks often exploit human psychological vulnerabilities more than they rely on advanced technology. 3.2.2Initial compromise TTPs: Machine attack vectors: - In machine-to-machine attacks, human involvement is minimal. While individuals might inadvertently trigger these attacks by visiting websites or using computers, the attack process itself is automated and does not require direct human actions to compromise systems or networks. Here’s an overview of common machine-to-machine attack methods: 1.Drive-by: This attack is particularly insidious. If a user visits a website containing hidden malware within images or other content, the malware can automatically infect the system simply by loading the page. Here the user’s intervention is not required to click on anything for trigger the infection, by visiting the site itself is sufficient to become a victim. 2.Known System Vulnerabilities: Cybercriminals exploit weaknesses in systems that have been associated with non-updating of latest security patches. By targeting these known vulnerabilities, attackers will get unauthorized access to install ransomware. 3.Malvertising: This technique involves delivering malware through advertisements. Malicious ads may appear on search engines or popular social media platforms, and sometimes on adult websites. Interaction with these ads can lead to malware infection. 4.Network Propagation: Once ransomware infects a system, it can scan for file shares and other accessible computers on the same network. The malware then spreads to CCW202408003 Page 13 of 24

  14. these systems, potentially infecting file servers and shared resources. The infection continues to propagate until it encounters security barriers or exhausts available systems. 5.Propagation Through Shared Services: Ransomware can also spread through online file-sharing or syncing services. If malware infects a shared folder on a personal computer, it can quickly transfer to office systems or other connected devices. Automatic syncing features in these services can facilitate rapid spread of the malware. To mitigate these risks, it is important to manage settings on systems that automatically sync files and exercise caution when sharing files. Ensuring that files are from trusted sources and keeping systems updated with the latest security patches can help in preventing these types of attacks. 3.3How Ransomware Syndicates Work Now a days a new concept called Ransomware as a Service (RaaS) is a game changer in cybercrime, making this is easier for people with little experience to launch ransomware attacks. This model plays vital role to a huge increase in both the number and sophistication of these attacks around the world. Before RaaS, a lot of technical skill and resources are required to carry out a ransomware attack so only skilled hackers or organized crime groups could perform the attack. Now, RaaS platforms made this attack as simpler by providing readymade easy-to-use ransomware tools/kits which are available in Darkweb and services. Ransomware attackers, use these kits for deploying the Ransomware and then share the ransom money with the RaaS providers. RaaS is very profitable, which has attracted many different cybercriminals. In this system, some criminals develop the ransomware and sell it through RaaS platforms. Others, known as "distributors," spread the ransomware by using methods like phishing emails or hacked websites. By adopting this way, each person focuses on their skills at what they’re good, on other side the RaaS operators handle the business side and take a share of the ransom money. 3.3.1Ransomware Market Dynamics and What It Means CCW202408003 Page 14 of 24

  15. Ransomware-as-a-Service (RaaS) changes the view of ransomware more like a product that can be bought and sold. On account of increase on the number of Service providers, there's competition that lowers prices, and sometimes even leads to price battles. This competition pushes creators to constantly improve and update their ransomware, which keeps it as a persistent threat. To protect against the growing danger of RaaS, both organizations and individuals need strong cybersecurity. It's important to regularly back up data and have a solid plan for dealing with attacks. Testing your backup systems to make sure they work is key, so businesses can recover quickly and reduce damage. The flowchart below shows how the different parts of the RaaS system work together. This setup allows ransomware to spread more easily and become an even bigger threat. 3.3.2Dark Web Service Providers: Unlike past cases, such as the David Levi Phishing Gang from 2005, in today’s decentralized world of cybercrime, tracking down and catching ransomware operators is much more challenging than it used to be. today's cybercrime networks are spread out and operate mostly on the dark web. Here’s how these networks work and the roles involved: Botmasters: These group or individuals set up large networks of infected computers. They sell these compromised devices access to other cybercriminals who want to use them for their own attacks. Access Sellers: They exploit known software vulnerabilities before they are fixed and then sell access to these vulnerable servers to other cybercriminals. Operators: These are the ones who actually carry out the attacks. They use access bought from botmasters or access sellers and ransomware software purchased from developers or created themselves. Depending on the sophistication of their operation, they may have a full team that includes customer service, IT support, and marketing. Developers: These people write and create ransomware software. They sell this software to other cybercriminals and get a share of the ransom payments. Packer Developers: They add extra layers of protection to ransomware software, making it harder for security systems to detect. CCW202408003 Page 15 of 24

  16. Analysts: These group or individuals assess a victim’s financial situation to determine how much ransom they are likely to pay. Affiliates: These are individuals or groups that buy or hire ransomware as a service from operators or developers and use it to carry out attacks. They share a portion of the ransom with the creators. Negotiating Agents: They handle communications with the victims, negotiating ransom terms and payments. Laundering Services: These services convert ransom payments made in cryptocurrency into traditional money or other usable assets, helping cybercriminals cash out their gains. This complex web of roles and services, mostly operating on the dark web, makes it difficult to track and disrupt ransomware operations effectively. 3.3.3Victim-side Service Providers Post cyber-attack, on Victim’s side, there are other key players who come into the picture in addition to the groups directly involved in carrying out ransomware attacks, these individuals and organizations can benefit from ransomware incidents in various ways: 1.Incident Response Firms: These consultants those are having specialised skills to respond and recover from ransomware attacks. They play a role on identifying infected areas and containing the attack, restoring systems, and managing communication during the recovery process, 2.Ransomware Brokers: On behalf of the victim’s side, these professionals play a intermediaries role between the victim and the ransomware operators on handling the negotiation and payment of ransom. 3.Insurance Providers: Insurance companies play a crucial role in compensating the damages and costs incurred due to the attack at victim’s side 4.Legal Counsel: Lawyers plays roles in manage the interactions between the ransomware broker, insurance provider, and the victim. They also offer legal advice on decisions such as whether or not to pay the ransom and how to handle any legal implications of the attack. 3.4How to Combat Ransomware: - CCW202408003 Page 16 of 24

  17. Depending on industry regulations and legal requirements, immediate and strategic action are crucial in the event of a ransomware attack, immediate and strategic actions are crucial. which are frequently updated, reporting the attack may be mandatory. If reporting is not required, focus on damage control. Here are the steps to take: 1.Isolate the Infection By disabling Wi-Fi/Bluetooth, un plug LAN To stop further spreading on ransomware is the first step. This isolation helps stop the ransomware from moving to other computers and prevents it further communications with the attackers. It is important to note that ransomware might affect more than one device, so all connected machines should be treated as potential threats until the infection is confirmed to be contained. 2.Identify the Infection It is very important to determine the type of ransomware variants which has infected the system for understanding how it operates and what can be done to address it. Tools and resources like ID Ransomware or the No More Ransom! Project can help identify the specific ransomware strain. This information is vital for knowing how the ransomware spreads, what types of files it targets, and whether any removal tools or decryption options are available. Reporting the attack to authorities can also provide additional support and information. 3.Report to Authorities Reporting the ransomware attack to the appropriate authorities is an important step, even though it might involve some inconvenience. Reporting helps authorities track and combat ransomware trends and gather information about attack methods and perpetrators. This collective knowledge is crucial for improving security measures and preventing future attacks. 4.Evaluate Other Options CCW202408003 Page 17 of 24

  18. Paying does not guarantee the recovery of data and may encourage further attacks. Instead, focus on alternative solutions such as trying to remove the ransomware using available tools or preparing to rebuild the affected systems. 5.Restore and Rebuild This can be done by using secure backups to bring back data and systems to the state they were before the attack. It might be necessary to set up new systems, if backups aren’t available or the ransomware can’t be removed, Tools and support for removing ransomware are available through resources like the No More Ransom! Project. It's also important to regularly test backup restoration processes to ensure data can be quickly recovered if another attack happens. 3.5Why Starting Over Using Backups is the Best Approach The most reliable method is to perform a full wipe of all storage devices and reinstall everything from scratch. Formatting the hard drives ensures that no remnants of the ransomware remain. This approach provides the highest level of assurance that the system is clean and free of any hidden malware. When preparing to combat ransomware, it is important to pinpoint the exact date of infection by examining file modification dates, system messages, and other relevant information. This helps in understanding how long the ransomware may have been dormant before causing noticeable damage. By analyzing the specific type of ransomware involved, insights can be gained into its operation, which aids in crafting an effective recovery strategy. A significant issue is that many organizations quickly restore from backups without thoroughly scanning for residual malware. This can lead to reintroducing the ransomware into the production environment. To avoid this risk, it is essential to select backups made before the ransomware infection occurred. A sound backup strategy should include both local and off-site backups that were not connected to the network during the attack. Using a secure quarantine environment to test these backups before bringing systems back online ensures that no dormant ransomware remains. 3.6How Object Lock Protects Backups CCW202408003 Page 18 of 24

  19. Object Lock functionality offers a strong defence against ransomware by using a write-once, read-many (WORM) model. Once data is written, it cannot be modified, encrypted, or deleted for a specified period. This creates a virtual air gap, similar to traditional LTO tape systems, where backups are physically removed from the network to prevent infection. Object Lock provides this security in the cloud, isolating the data from the production systems. Object Lock is particularly valuable in several scenarios: 1.Replacing LTO Tape Systems: For those migrating from tape backups, Object Lock provides a comparable level of security without needing expensive physical infrastructure. 2.Protecting Sensitive Data: Object Lock can be use by Industries with strict compliance requirements to set appropriate retention periods, ensuring adherence to regulations like HIPAA. 3.Disaster Recovery and Business Continuity: Object Lock helps reduce downtime and meet recovery goals by making backups unchangeable and safe from ransomware. This means you can quickly and reliably restore clean data. 3.7Why Not Just Use System Restore? Relying solely on a system restore point is not effective for completely removing ransomware. Malicious software can hide in various system components, making it difficult for system restore to eliminate all instances of the malware. Additionally, ransomware can encrypt local backups, making them as compromised as the rest of the system. A robust backup solution that is isolated from local systems provides a safer method for recovery. Object Lock lets files be restored from before an infection, allowing for the selection of specific files and ensuring the system is free of any remaining malware. Using these unchangeable backups helps reduce the chances of ransomware attacks and their impact. CCW202408003 Page 19 of 24

  20. 3.8Case Study 3.8.1 All India Institute of Medical Sciences, New Delhi [AIIMS] : In November 2022, India’s premier medical institute, All India Institute of Medical Sciences New Delhi (AIIMS) was targeted by a major cyberattack. In this attack eHospital network and most of its servers stopped working. All functions including the emergency, out-patient, in-patient and laboratory wings were shifted to manual management. On November 23, 2022, patients and doctors raised the complaints that the hospital’s services were very slow or not working at all. This problem forced the hospital to work manually. The National Informatics Centre (NIC) discovered the issue and found signs of a ransomware attack on the hospital’s servers. This attack damaged all the files on the main and backup servers, causing major disruptions in the hospital’s daily activities. As a result, services like OPD registrations and blood sample reports were stopped, leading to delays and inconvenience for both medical staff and patients. The attack especially affected the e-hospital system, which had been managed by NIC since 2011-12. This system’s failure disrupted online services like OPD, emergency care, and other patient services at the hospital. To fix the issue, AIIMS decided on November 30, 2022, to get four new servers from the Defence Research and Development Organisation (DRDO) to restart the e-hospital services. 3.8.1.1 Impacts and Consequence: The hospital's important data was locked, making it impossible for people and hospital to access files, databases, or applications on both the main and backup servers. The cyberattack stopped daily work at AIIMS, affecting services like appointments, registration, billing, and lab reports. The databases which got targeted included personal information of patients and healthcare workers, along with records about blood donors, ambulances, vaccinations, caregivers, and employee login details. The report highlighted the breach exposed the data of about 30–40 million patients, including sensitive information and medical records of several VIPs, such as former prime ministers, ministers, bureaucrats, and judges. 3.8.1.2 Response of Security Agencies: CCW202408003 Page 20 of 24

  21. Several agencies, including the Delhi Police, the Centre’s Computer Emergency Response Team (CERT-In), the Ministry of Home Affairs, and the National Investigation Agency, started a joint investigation. The Intelligence Fusion and Strategic Operations (IFSO) unit of the Delhi Police filed a case of extortion and cyber terrorism, as the attackers demanded an undisclosed amount (allegedly Rs. 200 crore) in cryptocurrency to unlock the data. The Delhi Police used Section 66(F) of the Information Technology Amendment Act 2008, labeling the incident as cyber terrorism, which shows that this case is more serious than a typical ransomware attack. CERT-In and the National Informatics Centre worked to restore the hospital’s servers and get services back to normal. 3.8.1.3 Findings: CERT-In, the top cybersecurity agency in India, found that the hackers used two Protonmail addresses, “dog2398” and “mouse63209.” These addresses were created in the first week of November 2022 in Hong Kong. They also found that another encrypted file was sent from China’s Henan province. The affected servers were infected with three types of malware: Wammacry, Mimikatz, and Trojan. The investigation showed that the main server and the applications for OPD services were down because all the system files were encrypted with a .bak9 extension, a new file type that locked the system files. CERT-In’s initial analysis showed that the cyberattack happened because the hospital’s IT network was "unorganized" with no central monitoring or system administration. This meant that the infected devices were all connected, and data could be accessed from any of them, with no one monitoring who was accessing these systems. CCW202408003 Page 21 of 24

  22. 3.8.2 Ransomware attack on C-EDGE Technologies 3.8.2.1. Background On 31 July 2024, NPCI (National Payment Corporations of India) publish tweet as the C- Edge Technologies Ltd, a company providing tech services mainly for cooperative and regional rural banks, have been hit by a ransomware attack affecting some of their systems. To protect the larger payment system, NPCI has temporarily cut off C-Edge Technologies from accessing the retail payment systems run by NPCI. As a result, customers of banks using C-Edge's services won't be able to access payment systems during this time. 3.8.2.2 How the Attack Happened a. Misconfiguration:  Brontoo Technology Solutions who are the one of the partner for C-EDGE Technologies.Brontoo Technology Solutions a report to CertIn (Indian Computer Emergency Response Team) indicated that the attack chain started from a misconfigured Jenkins server. The CloudSEK threat research team was able to pinpoint the compromised Jenkins server and trace the entire attack chain. b. Exploitation:  CVE-2024–23897 describes a security flaw in server which allows attackers to get into the server and access the files with out login. Here vulnerability happens because the server doesn’t properly check what’s being requested, which allows the attackers to manipulate settings and accessing the important files. The Jenkins server whcih used by Brontoo Technology had a same security flaw known as a Local File Inclusion (LFI) vulnerability. Here the suspect as port 22 (used for secure shell access) was would have opened, the attacker might have gain the access to the server remotely by reading private keys stored on it. Here CloudSEK suspected as that access to Brontoo's server might have been sold by a threat actor named IntelBroker, who is a moderator on Breach Forums, to the RansomEXX group for further use. c. Response: CCW202408003 Page 22 of 24

  23. Detection: The ransomware attack was detected promptly by the relevant authorities and C-Edge Technologies. Isolation: The National Payment Corporation of India (NPCI) quickly responded by isolating C-Edge Technologies from the retail payments system to further spread the attack and damage. Coordination: By Coordinating with other regulatory bodies NPCI, worked together to manage the situation and reduce the impact. Communication: NPCI issued a public notice to make a caution for 200 plus small bank customers of the affected banks about the temporary service disruption. Organisations which are using Jenkins should take immediate measure for quickly update their systems to fix the security flaw identified as CVE-2024–23897. 3.9 Conclusion: Due to technology advancement Ransomware has become a major threat on affecting individual’s personal information, businesses, and important services all over the world. Over time, it easier for criminals to carry out these attacks, since ransomware has become more advanced and targeted, especially with the rise of Ransomware as a Service (RaaS).On arrival of Raas, the ransomware ecosystem is complicated , for various roles, such as developers, operators, affiliates, and negotiators, all playing a part in carrying out these attacks. The dark web allows these criminals to operate in secret, making it hard for law enforcement to catch them. In fight against ransomware, organizations should take necessary proactive steps, such as regularly taking backup on crucial data with date and time index, training employees to recognize phishing attempts, and keeping systems updated with the latest security patches. Using tools like Object Lock can also help protect backups and ensure data safety. In summary, ransomware is a serious and continuous threat which can cause significant harm. However, by understanding how these attacks work and taking preventive measures, individuals and organizations can reduce the risk and protect their important data and systems. Fighting ransomware requires everyone, governments, businesses, and individuals to work together to stay ahead of this growing danger. CCW202408003 Page 23 of 24

  24. 3.10 Bibliography 1.Crypto-Ransomware: A Revision of the State of the Art, Advances and Challenges 2.Heldroid: Dissecting and detecting mobile ransomware Springer-Verlag, Berlin, Heidelberg (2015) 3.Caroscio E, Paul J, Murray J, Bhunia S. Analyzing the ransomware attack on D.C. metropolitan police department by babuk. 4.Kiesel K, Deep T, Flaherty A and Bhunia S. Analyzing multi-vector ransomware attack on Accellion File Transfer Appliance Server. 5.Din A. Some of the companies affected by ransomware in 2021. Heimdal security Blog; 2021 6.Caroscio E, Paul J, Murray J, Bhunia S. Analyzing the ransomware attack on D.C. metropolitan police department by babuk 7.Robb B. The state of ransomware in 2023. BlackFog; 2023. 8.Toulas B. Royal ransomware claims attack on Queensland University of Technology. BleepingComputer; 202 9.Vehabovic A, Ghani N, Bou-Harb E, Crichigno J, Yayimli A. Ransomware detection and classification strategies 10.Ransomware attack Statistics : https://www.comparitech.com/blog/information- security/global-ransomware-attacks/ 11.Leveraging Innovative Technologies for Ransomware Prevention in Healthcare: A Case Study of AIIMS and Beyond. 12.URL : https://www.cloudsek.com/blog/major-payment-disruption-ransomware- strikes-indian-banking-infrastructure?source=post_page CCW202408003 Page 24 of 24

More Related
SlideServe
Audio
Live Player
Audio Wave
Play slide audio to activate visualizer
Slide 1

Sea Ice

Slide Player

AI NARRATOR Slide 1 of 12

Sea Ice

0:00 0:15