Advanced SOC Operations / CSOC , Legislation & Litigation , Standards, Regulations & Compliance

Ransomware Attack on State Govt. Dept. Raises Concerns

In what is possibly the first reported incident of its kind, a state government department in India fell prey to a ransomware attack earlier this year.

The incident points to the need to educate state-level IT operations, get security basics right and grow employee awareness of cyber risks.

The forest department of the state government of Kerala was the victim of a ransomware attack by cybercriminals, purportedly of Russian origin, according to a Sept. 29 report in the New Indian Express.

The department discovered that accounting and finance data on a local network was inaccessible after it was encrypted by unidentified hackers in March, according to the news report. Renjith A, project manager at CERT Kerala, told ISMG that an infection had taken place and that appropriate guidance was provided to the department's Forest Management Information Systems, or FMIS, team.

FMIS officials could not be reached to respond to Information Security Media Group's request for comment.

Renjith tells ISMG that guidelines based on detailed directives received from CERT-In for responding to these kinds of attacks were shared with the FMIS team. However, CERT was not involved in remediating the issue, he says.

"As the data was encrypted with a private key, there was no way to decrypt the data without the key, and as it is, there was no guarantee that paying the ransom would result in the attackers releasing the files. The other option was to start fresh with a clean installation and harden the systems," he says. Having communicated this to the FMIS team, the team decided to forgo trying to access the data because it was not very critical and reformatted the affected systems, after which the infrastructure was hardened against any further attack, he told ISMG.

Sources told the New Indian Express that the files were locked using the 'RSA - 4096' virus, and the infection took place when an 'official inadvertently downloaded an image and shared in on the local network'. Up to 20 computers were infected, the report says.

Law enforcement officials at the Kerala Cyber Cell say that no official complaint was received for this case - or any other ransomware incident, for that matter.

But according to the National Informatics Center, this was the first instance of an attack on a public system in the state of Kerala, the New Indian Express reports.

"The low level of user awareness is one of the primary reasons for these kind of attacks [succeeding]," Manu Zacharia, president and founder at the Kerala-based Information Security Research Association, tells me. "Lack of good endpoint protection as well as malware detection capabilities at the perimeter level are other reasons."

Zacharia, who until recently was an external consultant to Kerala-CERT, says he's certain the state IT CERT team is conducting regular monthly sessions with government officials on various cybersecurity issues and preventive measures. Efforts are also underway to strengthen the cybersecurity posture and readiness of government and state critical information infrastructure, he says.

Ransomware Rampant

In a blog earlier this year, I wrote about the growing menace of ransomware in India. Unlike high-profile breaches, these kinds of low-intensity attacks have continually been swept under the carpet by enterprises eager to protect their reputation. But no amount of denial is going to stop attackers targeting low hanging fruit.

It's only a matter of time before more such incidents at government, public sector entities, hospitals and other critical infrastructure come to light. And reformatting and starting over, as the State Forest Department of Kerala did, won't always be easy.

Ransomware attacks are becoming more common because of the low cost of waging an attack and the relatively high rate of return. And the attacks have successfully transitioned from targeting consumers to targeting business enterprises (see: Extortion Transitions from B2C to B2B).

Security firm Symantec says ransomware attacks are more common in India than any other Asian country. And the most common infection vector is malicious spam email. "This spam is distributed using a botnet that sends out large numbers of spam emails that use social-engineering tactics to trick recipients into compromising their computers," Symantec notes.

As Raimund Genes, CTO at Trend Micro, told me in a recent interview. many organizations continue to neglect basic security practices (see: Why Is Ransomware So Successful?). Add to this the rise of the cryptocurrency and the anonymous money transfer ecosystem, coupled with the growth of ransomware-as-a-service platform, and it's no wonder that ransomware attacks are escalating.

While many businesses may find it expedient to pay the ransom and make the problem go away, Vitaly Kamluk, Kaspersky Lab's director of the global research and analysis team in APAC, argues that paying a ransom is a bad idea. It reinforces the cybercriminal business model. And it can be bad for the enterprise, leading to more ransom demands. Plus, there's no guarantee that paying a ransom will actually result in regaining access to encrypted data, he notes (see: Ransomware Tips: Fighting the Epidemic).

Backing up files and testing the environment regularly are the two most logical recourses available to enterprises. The importance of basic security measures like gateway-level security and proxy filtering cannot be stressed enough. But Trend Micro's Genes says essential security steps are often being skipped. And ransomware is a clear reminder that the stronger the basic security foundation in an organization, the easier security can scale to meet new threats.

"Ransomware is malware at the end of the day," Genes says. "If you have got your basics right and proper risk management practices, these kind of normal things should not worry you."