Syllabus
GS Paper III – Awareness in the fields of IT, Space, Computers, robotics, nano-technology, bio-technology and issues relating to intellectual property rights.
Challenges to internal security through communication networks, role of media and social networking sites in internal security challenges, basics of cyber security; money-laundering and its prevention.
Context
A recent ransomware attack has significantly disrupted the operations of around 150-200 cooperative banks and Regional Rural Banks (RRBs) in India.
Ransomware Attacks in India
Introduction
A recent ransomware attack has severely disrupted the operations of at least 150-200 cooperative banks and Regional Rural Banks (RRBs) in India. The National Payments Corporation of India (NPCI) identified the attack, which primarily affected banks serviced by C-Edge Technologies Ltd., a joint venture between Tata Consultancy Services Ltd. (TCS) and State Bank of India (SBI). The attack targeted C-Edge Technologies Ltd., impairing their ability to provide services to these banks. Consequently, customers of the affected banks were unable to access payment systems, including Unified Payments Interface (UPI) and Aadhaar-enabled payment systems (AePS). However, some RRBs continued to function normally as they use different technology service providers, depending on their sponsor banks.
Ransomware
Ransomware is a type of malware that encrypts a victim’s data or locks their device, demanding a ransom for the decryption key or to regain access. Initially, ransomware attacks focused on encrypting data and demanding a ransom for the decryption key.
- Modern Tactics: Recent ransomware attacks have evolved to include double-extortion and triple-extortion tactics:
- Double-extortion: Attackers threaten to leak stolen data online if the ransom is not paid.
- Triple-extortion: Attackers use stolen data to target the victim’s customers or business partners.
- Types of Ransomware:
- Encrypting Ransomware (Crypto Ransomware): Encrypts the victim’s data, demanding a ransom for the decryption key.
- Non-encrypting Ransomware (Screen-locking Ransomware): Locks the victim’s entire device, displaying a ransom demand on the screen.
- Subcategories of Ransomware Include:
- Leakware or Doxware: Steals and threatens to publish sensitive data.
- Mobile Ransomware: Affects mobile devices, often using screen-lockers.
- Wipers: Threaten to destroy data, sometimes even if the ransom is paid.
- Scareware: Uses fear tactics to coerce payment, sometimes posing as legitimate alerts.
Ransomware as a Cyber Threat
- Financial Impact: Ransomware attacks can cost organizations millions of dollars. An IBM report showed that the average cost of a data breach reached an all-time high of Rs 19.5 crore (USD 2.35 million) in FY 2024, up by around 7% over 2023, with the local industrial sector being the most impacted. Ransomware victims and negotiators are often reluctant to disclose ransom payments.
- Speed of Attacks: Once hackers gain access to a network, they can deploy ransomware in less than four days, giving organizations little time to detect and respond.
Steps for Responding to a Ransomware Attack
- Isolate the Infected Device: Isolate the infected device from the network to contain the infection. Disconnect all suspiciously behaving devices from the network to stop the spread of infection.
- Identify the Entry Point: Check for any alerts from active monitoring platforms and identify the ransomware by scanning encrypted files and ransom notes.
- Prioritize Restoration: Restore the most critical systems first, followed by the eradication of the threat from the network.
- Restore from Backup: If a backup is available, restore the systems from it. Otherwise, explore decryption options.
Notable Ransomwares
- Akira Ransomware: A notable ransomware variant known for its sophisticated encryption techniques.
- LockBit Ransomware: A highly effective ransomware that targets enterprises and demands large ransoms.
- CryptoLocker: Credited with kick-starting the modern age of ransomware in 2013 by encrypting files and demanding payment for decryption.
- WannaCry: A cryptoworm that attacked over 200,000 computers in 150 countries in 2017, causing widespread disruption.
- Petya and NotPetya: Encrypts the file system table, rendering computers unable to boot and causing significant operational disruptions.
- Ryuk: Popularized big-game ransomware attacks against high-value targets, demanding substantial ransoms.
- DarkSide: Responsible for the Colonial Pipeline attack in 2021, causing major fuel supply disruptions in the U.S.
- Locky: Uses macros in email attachments to infect devices, spreading rapidly through phishing emails.
- REvil: Known for big-game hunting and double-extortion attacks, demanding ransoms and threatening to leak stolen data.
- Conti: Operated a Ransomware as a Service (RaaS) scheme, using double-extortion tactics to maximize impact and ransom payments.
How does Ransomware Infect Systems?
- Phishing: Phishing is a type of cyberattack that uses social engineering tricks to deceive victims into downloading ransomware through malicious attachments or links. Social engineering involves psychological manipulation to trick users into making security mistakes or revealing sensitive information.
- Exploiting Vulnerabilities: Ransomware exploits existing or zero-day vulnerabilities to inject itself into systems.
- Credential Theft: Ransomware can steal authorized user credentials to deploy itself within a network.
- Other Malware: Ransomware can use other malware, such as Trojans, to spread within a system.
- Drive-by Downloads: Ransomware can infect devices through compromised websites via drive-by downloads.
- Ransomware as a Service (RaaS): Ransomware as a Service (RaaS) allows cybercriminals to use ransomware developed by others in exchange for a share of the ransom.
Cybersecurity Dealings
Agencies and Initiatives in India
- Indian Computer Emergency Team (CERT-In): CERT-In is the national nodal agency for responding to computer security incidents as and when they occur. It has been operational since January 2004 and serves the Indian Cyber Community.
- National Cyber Security Coordinator: The National Cyber Security Coordinator, under the National Security Council Secretariat, coordinates with different agencies at the national level on cybersecurity issues.
- National Critical Information Infrastructure Protection Centre: The National Critical Information Infrastructure Protection Centre has been set up for the protection of national critical information infrastructure.
- Cyber Swachhta Kendra: The Cyber Swachhta Kendra is a Botnet Cleaning and Malware Analysis Centre launched for the detection of malicious software programs and to provide free tools to remove them.
- National Cyber Coordination Centre: The National Cyber Coordination Centre works on creating awareness about existing and potential threats.
- Cyber Crisis Management Plan: The government has formulated a Cyber Crisis Management Plan for countering cyber-attacks.
Legal Framework for Ransomware Attacks
- Offences Under IPC and IT Act: Ransomware attacks constitute various offences under the Indian Penal Code 1860 and the Information Technology (IT) Act 2000.
- Relevant Provisions of IT Act:
- Section 43 and 66: Damage to computer/system.
- Section 65: Tampering with computer source documents.
- Section 66D: Cheating by personation.
- Relevant Provisions of IT Act:
- IT Rules: Corporate bodies holding sensitive personal data must implement reasonable security practices.
- Punishment Under IT Act: The punishment for ransomware attacks under the IT Act ranges from imprisonment for a term of three years to seven years and a fine of up to Rs. 1 crore.
- Ransomware Task Force (RTF): It is a specialised unit within India’s National Cyber Security Coordinator (NCSC) organisation. It serves as a central point of contact for victims of ransomware attacks, providing assistance with investigation, recovery, and prevention efforts.
- Cybersecurity Framework for Indian Banking Sector:
- RBI Guidelines: The Cybersecurity Framework for the Indian Banking Sector, 2018, issued by the RBI, provides specific guidelines for banks and financial institutions to protect against cyber threats, including ransomware attacks.
- Mandated Measures: It mandates banks to implement robust cybersecurity measures, such as multi-factor authentication, encryption, and regular security audits.
- RBI Guidelines: The Cybersecurity Framework for the Indian Banking Sector, 2018, issued by the RBI, provides specific guidelines for banks and financial institutions to protect against cyber threats, including ransomware attacks.
Challenges in Overcoming the Ransomware Threat
- Evolving Threat Landscape: Ransomware tactics are constantly evolving, making it difficult for organizations to keep up with new threats and vulnerabilities.
- Detection and Response Speed: The rapid deployment of ransomware once hackers gain access to a network leaves organizations with little time to detect and respond effectively.
- Complexity of Attacks: Modern ransomware attacks often involve double or triple extortion tactics, increasing the complexity and impact of the attacks.
- Resource Constraints: Many organizations, especially smaller ones, lack the necessary resources and expertise to implement robust cybersecurity measures.
- Supply Chain Vulnerabilities: Attacks on supply chains can have widespread effects, as seen with the rise in supply-chain attacks affecting multiple organizations simultaneously.
- Cryptocurrency Anonymity: The use of cryptocurrencies for ransom payments makes it challenging to trace and prevent ransom transactions.
Way forward
- Cybersecurity Enhancements:
- Robust Measures: Banks and technology service providers must implement robust cybersecurity measures, including endpoint protection, network security, data backup, and employee training.
- Threat Detection: Improved threat detection and prevention have led to an 11.5% decline in ransomware infections between 2022 and 2023.
- Centralised Platform: Establish a centralised platform for sharing threat intelligence among banks and financial institutions.
- Data Backup and Recovery:
- Backup Procedures: Implement robust data backup and recovery procedures, including offline backups.
- Business Continuity: Develop comprehensive business continuity plans to ensure minimal disruption in case of a cyberattack.
- Enhanced Security Standards:
- Security Assessments: Conduct rigorous security assessments of third-party vendors and partners.
- Incident Response: Improve incident response capabilities to minimize the impact of cyberattacks.
- Certifications: Obtain relevant cybersecurity certifications to demonstrate commitment to security.
- Best Practices Recommended by CERT-In:
- Offline Backups: Maintain regular offline data backups with encryption.
- Strong Passwords: All accounts should have strong and unique passwords and a lockout policy.
- Multi-Factor Authentication: Implement multi-factor authentication for all services.
- Disable Remote Desktop: Disable remote desktop connections.
- RDP Logging: Have proper Remote Desktop Protocol logging and configuration, and a spam-proof email validation system.
- Anti-Virus Software: Ensure anti-virus software is updated.
- Email Safety: Users must not open attachments or URL links in uninvited emails.
Conclusion
Ransomware attacks pose a significant and evolving threat to organizations worldwide, causing substantial financial losses and operational disruptions. The rapid deployment and sophisticated tactics of modern ransomware necessitate robust cybersecurity measures, including advanced threat detection, comprehensive data backup and recovery plans, and stringent security standards. Collaboration and information sharing among institutions, along with adherence to best practices and legal frameworks, are crucial in mitigating the impact of these attacks. As cyber threats continue to evolve, a proactive and adaptive approach to cybersecurity is essential to safeguard critical infrastructure and sensitive data.
References: IE
Related PYQ
What are the different elements of cyber security? Keeping in view the challenges in cyber security, examine the extent to which India has successfully developed a comprehensive National Cyber Security Strategy. (UPSC CSE – 2022 Mains)
Practice Question
Analyze the impact of ransomware attacks on the banking ecosystem and suggest measures that organizations can implement to mitigate these risks. [250 words]