On January 23, the dark web erupted with a fresh claim, as BASHE, a shadowy ransomware group with a reputation for striking high-value targets, declared it had breached ICICI Bank. As one of India’s largest private sector banks, ICICI serves millions of customers both domestically and across the global NRI community—a vast repository of financial and personal data now allegedly at risk.
BASHE boasted of accessing sensitive customer information: account details, transaction histories, and KYC documents, all of which are tools to fuel identity theft and financial fraud. The bank was put on notice: pay up by January 24 or the data goes public. The ICICI Bank has maintained a stoic silence, declining to confirm or deny the breach, even as the hackers pushed the deadline to January 31. No further information is available from ICICI at the time of going to print.
Own a business? Or head a large corporation, hospital or military base. You are as safe as your firewall. One ransomware attack was estimated every 11 seconds in 2021, that caused about $20 billion in damages, according to cybersafety researchers. India was hit with its first major ransomware attack in 2017. The software was WannaCry, a ransomware program that affected around 150 countries; India is among the top five worst hit countries.
Computer outages were reported in banks and organisations in Kerala, Kolkata, Gujarat and Andhra Pradesh. The Andhra Pradesh Police, the Gujarat State Wide Area Network and the West Bengal Electricity Distribution Company were also blackmailed by hackers. How does ransomware work?
•The Threat Actor (hacker) accesses victim's server using phishing, malware etc.
•Once the infiltration is successful, hackers search network for sensitive data.
•The ransomware gang uses exfiltration–unauthorised transfer of sensitive data from a target system into a separate location.
•Ransomware uploaded.
•System data is encrypted and victim is denied access to the data.
•The ransom demand is made and if met, the information could be returned via a decryption key. No payoff means the hacker will leak the information, or even destroy or sell it. Since no backups exist, the consequences are serious. There is no guarantee either of getting the data back. Once Threat Actors access a system, they inject malware like Ryuk or LockBit. This automatically encrypts all data on the server. Encryption transforms original data into an unreadable format (plain text converted into complex strings of characters) that can be reverted to its original state only with a unique decryption key. Without it, the victim loses access. Individuals could lose sensitive personal information, such as photos or financial records, forever.
Ransomware attacks were the single largest cyber threat to Indians in 2024. And continue to be so. CloudSEK, a Bengaluru-based cybersecurity and research firm, places India as the second most affected country after America, and the fifth most hit by ransomware attacks after the USA, United Kingdom, Canada and Germany. Meanwhile, CyberPeace Foundation mapped a 55 per cent increase in ransomware attacks targeting India, from 63 incidents reported in 2023 to 98 in 2024. It further observed that the industrial sector was the most frequently targeted, accounting for 75 per cent of the total incidents. It is 12 per cent for the healthcare sector, finance is at 10 per cent and government at three per cent. Attacks are against both individuals and companies. Ransomware gang LockBit remains the most active ransomware family acting against India, accounting for 23.33 per cent of ransomware attacks so far, according to ThreatLabz. Globally, LockBit accounted for 22 per cent of Indian ransomware incidents. BianLian is in second place, responsible for 16.67 per cent of attacks. BlackCat aka ALPHV, was responsible for 11.67 per cent of ransomware incidents in India and 9 per cent globally. Its programming allows it to target both Windows and Linux.
UPPING THE ANTE: With law enforcement snapping at their heels, hackers are constantly upgrading their techniques. 2023 was a “watershed year” for ransomware, with over $1 billion forked out, according to Chainalysis, a block-chain data research firm. Ransom payments are typically made in cryptocurrency, mostly Bitcoin: from $220 million in 2019 to $1.1 billion in 2023. The ransomware attack on AIIMS in 2023 was one of the largest in India and crippled the health giant. The hackers targeted its OPD system, which stores relevant patient and medical information. They captured the network and encrypted the data, blocking the hospital from accessing its own system. The worst hit were the patients. No new admissions, and no follow up OPD visits were possible, because medical histories were unavailable. Independent dark web researchers learned the attacker was the LockBit hacker group, who demanded a ransom of `200 crore. This attack, led to the formation of a new Standard Operating Procedure for Indian entities hit by ransomware. Says Koushik Pal, Threat Researcher with CloudSEK, a Bengaluru based cybersecurity solutions and research firm, “The AIIMS incident caused significant disruptions to critical services such as emergency care and access to medical history. Such attacks can potentially lead to large-scale loss of life.” Pal has a background in digital forensics and incident response. His expertise is “adversary engagement and hunting”—a sort of cyber detective. “I infiltrate and negotiate with cybercriminal groups to understand their motives, methods, and operation- al intricacies,” he explains. Some ransomware attacks have a political or international espionage agenda. “For instance, state-sponsored adversaries like from China, which has a known history of developing biological agents in laboratories, could potentially misuse stolen data for biowarfare,” he says. A veteran cyber threat researcher who works with India's Central government says, “We’re tracking frequent attempts by ransomware against India by hacker groups based in or aligned with Bangladesh. The same was observed when a leading Indian political leader had made inflammatory comments that had angered an entire community. Warfaremoved online years ago.”
TARGET INDIA: Saumay Srivastava, an independent Threat Intelligence Researcher who often works in collaboration with Indian law enforcement flags ransomware group KillSec as a digital killer. Active since at least 2023, KillSec seems to be particularly interested in India, causing networks of banks, hospitals, and IT firms to crash and expose sensitive data. It sent a sophisticated phishing email to Apollo Hospital in October 2024. When opened, it showed a text document demanding ransom to decrypt. Some attacks are accompanied by a countdown timer, warning victims that sensitive data will go public if the blackmailer is not paid on time. “Victims have the choice to pay up or risk the permanent loss of data and reputation,” explains Srivastava. In the AIIMS case, stolen data included sensitive medical records of thousands of patients, including high-profile individuals like politicians, celebrities, and diplomats. This could have led to identity theft, insurance fraud, and targeted harassment of individuals based on their medical history. Till date, 32 Indian entities have fallen prey to KillSec, which include the police of Kerala and Delhi, Apollo Hospital, Fortis, and Tele Health Center, education platforms like Extra Marks, e-commerce and retail business- es like Gehna India, Auto Dukan, and Poorvika, financial services like Buddy Loan, PBG Bank, and Rupi Card. Tech and serviceproviders like NoBroker, ShipKar, and ViralPitch, travel and lifestyle companies like Trip XOXO and Bliss Worldwide were also penetrated. The details of the negotiations or amounts paid are top secret. No ransomware criminal has been arrested in India either.
TOOLS AND TARGETS: The tools of ransomware are many: phishing emails, visiting corrupted websites and down- loading infected file extensions or malicious attachments. Remote desktop protocol (RDP) attacks use brute forcing— hackers using automated software to guess computer passwords by trial and error. Among the mostly used categories of ransomware are Lockers that render your computer useless, Scareware bully users into buying software to stop pop-ups from flooding the screen. Doxware/Leakware threatens to leak personal or company information unless money paid. Threat Actors range from amateur hackers to highly organised cybercrime syndicates. Payments are made often in untraceable cryptocurrency, in exchange for restoring access to the victim’s encrypted data. Most of the time, ransomware attacks target corporations —the bigger, the better. The servers are harder to hack, but the payoff runs into crores. Organisations have scores of employees, which means a higher number of entry points to the system: official emails, computers and cell phones. A major military outfit had a ransomware attack in 2023, according to the 2023-24 annual report of the Department of Personnel Training. The CBI investigation showed “a ransomware attack on a crucial defense unit, a data breach impacting millions of Indian users, a malware attack in a Ministry, and a massive DDOS attack on critical infrastructure and airports in India.” DDOS is short form for Distributed Denial-of-Service, an internet distruption term.
BITCOIN BLUSE: Despite its early success in extortion, ransomware had one major vulnerability—the same key was used to encrypt and decrypt the hacked files. During a ransomware attack on a company, a researcher reverse-engineered the Trojan which was disguised as a legitimate file the user was tricked into downloading, and found the decryption key. No data stolen nor a ransom paid! It was after the arrival of cryptocurrency, particularly Bitcoin, when ransomware began expanding globally into a booming industry by the late 2010s. The decentralised nature of block chain technology, which allows transactions to be conducted without intermediaries like banks, makes ransom payments harder to track. Previously, ransomware involved encrypting a victim’s data and demanding a ransom for the decryption key. However, in data exfiltration, attackers steal sensitive data such as personal information, financial records, or proprietary business data for sale. This approach known as ‘double dipping’ has opened up new avenues for blackmail.
DATA IN THE DARK: Over the years, ransomware gangs have become organised, with their own dark web pages and blogs, names and examples. A typical post on a ransomware blog may read something like, “We have successfully encrypted all data from [organisation]. Pay within 72 hours, or we will publish sensitive information.” These platforms not only list names of victims but also provide sample files as proof, further pressuring organisations to comply. In India, ransomware incidents are reported to the Indian Computer Emergency Response Team (CERT-In), which works in coordination with law enforce- ment agencies such as the Cyber Crime Unit of the Ministry of Home Affairs. First the affected organisation files an FIR or reaches out to CERT-In for technical assistance. The matter escalates to a crisis response team that includes cybersecurity experts, decision-makers, and law enforcement representatives. Ultimately, the call to pay or not pay the ransom is made by the organisation’s leadership, in consultation with cybersecurity advisors, law enforcement, and legal teams. If the ransom negotiations fail or if the ransom is not paid by the time a love visible-to-all online timer runs out, the data is put on sale to the highest bidder on dark web chat forums that also double as virtual black markets, where costliest commodity is data. Sometimes, it is dumped online for all to download and misuse, as was the case with Tata Power in October 2022. It was hacked by Hive ransomware group; the negotiations, which went on for ten days, failed. Subsequently, at around 6.30 pm on October 26, 2022, Hive dumped all the data on their blog, which included financial and personal details of employees and details of batteries and diagrams of power grids.
Says Pal, “There are three main categories of ransomware operators. The first encompasses skilled and motivated cybercriminals who encrypt files and threaten to expose or sell confidential data if the ransom remains unpaid. The second category includes cybercriminals who lack the expertise to encrypt files but can steal them. The third category consists of cybercriminals who lack hacking skills altogether. Driven solely by greed, they establish affiliate schemes, inviting individuals with privately exfiltrated data to extort companies. These groups often repurpose old data leaks, presenting them as new to establish credibility.” An unnamed response specialist recalls,“I was working on a case where a financial services company was contacted by a threat actor, who sent a small sample of customer data and claimed he had the entire stash. Something about his demeanour made me suspicious. I wanted to call his bluff but the company was in panic and wanted a quick resolution. They were willing to pay the seven-figure ransom. I asked for three days and spent most of it on my computer, combing through the dark web until I found the actual source of the shared sample. It was an old data leak from one of the target company’s many subsidiaries, manipulated to look like a fresh data breach. The threat actor had simply bought it from someone.”
On the dark web, names, contact details, personal information like Aadhar or PAN numbers are hacked and sold. This data is repurposed for other cybercrimes like impersonation and phishing. Says Mumbai based cyber investigator Ritesh Bhatia, who works as an incident response specialist for ransomware attacks. “If an insurance company’s data gets breached in a ransomware attack, cybercriminals contact the company’s customers posing as company executives. Any number of cons can be perpetrat- ed because the cybercriminals are able to rattle off personal details of the customers to win their confidence.” Specialists like Bhatia and Pal are often called in when an organisation has already been infected by a ransomware attack. One wrong step can provoke the attackers, potentially leading them to escalate their threats or release more data. “A key part of the process in negotiations is to maintain extreme caution. Time zone differences and the attackers’ unpredictable behaviour add layers of complexity. We have to request multiple data samples to validate their claims and ensure the ransom demand is justified. Businesses often face a grim choice: pay the ransom or risk losing critical data that their operations rely on. Even after payment in cryptocurrency, there’s always the risk that the attackers won’t provide the decryption key, leaving the organisation in worse position,” says Bhatia. It is not uncommon for the Threat Actors to resort to humiliation, targeting the victim’s nationality, religion, or cultural identity; negotiations require extreme patience.
DISHONOUR AMONG THIEVES: However, it was only in 2022 that CERT-In published its first India Ransomware Report. The Ministry of Electronics and Information Technology (MeitY), too, published its first white paper, titled Ransomware Attack: An Evolving Targetted Threat, only in 2023. “Accelerated digital transformation, particularly after the Covid-19 pandemic, has outpaced the development of robust cybersecurity infrastruc- ture. Many organisations, including the government and public sector rely on legacy IT systems which are vulnerable to cyberattacks,” says Additional Director General Brijesh Singh, a cyber expert who was the first head of Maharashtra’s Cyber investigation department.
A ‘service model’ exists among threat actors who farm out services. Malware developed by one hacker could be used for a limited time by others in exchange for a fee. It didn’t take long after that for RaaS, or Ransomware as a Service, to take shape. Explains Pal,“Looking at the success of individual attacks, cybercriminals started Ran- somware-as-a-service, with affiliate rules and percentage splits. They invite like-minded individuals who adhere to the affiliate rules to attack enterprises. Each group has its own set of rules of engagement and affiliate qualifications.”
Bhatia simplifies the process, “Imagine a skilled hacker who has developed extremely potent ransomware. But he doesn’t, for whatever reason, want to go through the whole process of conducting research, setting up false identities, sending out phishing links via email or other modes of communication and so on and so forth to infect a server. He can simply offer his ransomware to other threat actors for a fee, sit back and reap the profits. Over time, RaaS gangs started offering not just their technical expertise but also other services, like negotiation, with different packages tailored to suit different needs. Citing an example, Srivastava says, “KillSec charges $250 for using its entire operation as a service and takes 12 per cent of the ransom money that its client makes. This makes it easier for people with little technical knowledge to carry out ransomware attacks, which increases its impact not only in India but also globally.” Pal has an important side note to add. “Ransomware operators play by a code. Most of them refrain from targeting critical infra- structure and hospitals, but KillSec has targeted Indian hospitals in the past,” he says.
Why, then, do we not hear about ransomware as a threat to India more often? Military sites are vulnerable too, making it crucial to protect defense data from ransomware attacks. Says Ronita Sengupta, Club Chief Corporate Development Officer at GTT Solutions. “Corporates tend to play safe by their culture of silence but in today's world, it doesn't work, especially with cyber threats and cyber crimes. In the initial hours of a cyberat- tack, the focus should be on establishing a Crisis Response Taskforce with representatives from top management, legal, IT, and official PR agency to streamline decision making an craft official communications.”
With technology making rapid strides on both sides of the ethics line, will humanity itself be held at ransom, is a question worth posing.