Because ransomware attacks in the region are surging, India's Computer Emergency Response Team, or CERT-In, has issued an advisory offering tips on preventing ransomware infections and responding to attacks.
For example, CERT-In urges adoption of high-end encryption to protect backed-up data. It also says organizations should never pay a ransom because this doesn't guarantee release of the files, and it stresses the importance of reporting attacks immediately to law enforcement agencies.
Too many organizations still lack a proactive approach to complete recommended patches, adhere to alerts and take other steps to prevent an incident.
Ransomware attacks are affecting financial institutions, other businesses and academic institutions throughout India.
The most prevalent and destructive ransomware in India includes cryptolocker, TeslaCrypt, Locky and Cerber. Many attacks involve encrypting data and demanding a ransom, often in bitcoin, to decrypt it.
Among the recent ransomware attacks:
- The Cosmos Bank website was attacked by Cerber ransomware. Quick Heal discovered the infection while analyzing telemetry information collected from its own users, and found the website was compromised by RIG Exploit Kit used as a carrier of Cerber ransomware.
- The website of India's state-owned oil and gas company, HPCL, was compromised by a series of attacks by the pseudo-Darkleech campaign, which exposes users to Nemucod malware that, in turn, downloads Cerber ransomware onto their machines.
- Kaspersky Lab reports that from March to May 2016 alone, 11,674 Indian individuals were attacked by TeslaCrypt ransomware and 564 by Locky ransomware.
- Last year, three banks in India and a pharmaceutical company were victims of ransomware, with attackers demanding ransom in bitcoins for decryption keys.
- A chartered accountant's office server was targeted by Cerber and the vector for attack was peer-to-peer software. C.N. Shashidhar, CEO at SecureIT, says ransomware infections on servers through peer-to-peer software are becoming widespread.
Steps to Take
CERT-In lists some remedial actions:
- Perform regular backups of critical information to limit the impact of data or systems loss;
- Check content of backup files of databases for any unauthorized encrypted contents of data records or external elements, such as backdoors/malicious scripts is critical;
- Ensure integrity of codes/scripts used in database, authentication and sensitive systems;
- Separate the administrative network from business processes with physical controls and virtual local area networks
In addition, many practitioners recommend investing in layered security that can help protect, detect and block ransomware attacks.
But do organizations take CERT-In advisories seriously? Do they really trigger preventive action?
Unfortunately, the impact of the advisories appears to be minimal. Too many organizations still lack a proactive approach to complete recommended patches, adhere to alerts and take other steps to prevent an incident. They just assume they will not fall victim.
Shashidhar says CERT-In's advisories help, but they need greater visibility and emphasis.
But I believe it's time for government to take a more aggressive approach and look for ways to force organizations to comply with CERT-In's guidelines.