The story so far: On November 23, e-services at the All-India Institute of Medical Sciences (AIIMS) were crippled by what is being suspected to be a ransomware attack. The Delhi Police’s Intelligence Fusion & Strategic Operations have registered a case and launched investigations to identify the perpetrators, while cyber security experts are employing software tools for data recovery. They have been able to retrieve a significant number of files. However, pending sanitisation of the entire network and its nodes, all hospital services are currently being executed manually. AIIMS has a Local Area Network comprising more than 6,500 computers supporting the institute, its hospital, centres and other departments. While a probe is underway to determine if essential safety protocols were in place, measures are being taken to thwart any such attack in the future.

What is ransomware?

Ransomware is a type of malicious software, used by cyber criminals, to infect a computer system by blocking access to the stored data by encrypting the files. A ransom is then demanded from the owner in exchange for the decryption key.

While it is not yet clear as to how exactly the AIIMS computer systems were targeted, the malware may usually be injected remotely by tricking the user into downloading it upon clicking an ostensibly safe web link sent via email or other means, including hacking. It can spread throughout the network by exploiting existing vulnerabilities. Ransomware attacks can also be accompanied by theft of sensitive data for other sinister motives.

How serious are ransomware attacks?

Preliminary findings by cyber experts have indicated that at least five of the AIIMS’ servers that hosted data related to more than three crore patients were compromised. In India, several cases of ransomware attacks targeting commercial and critical infrastructure have been reported in the recent past. In May, Spicejet had faced such a threat, while Public Sector Undertaking Oil India was targeted on April 10. Cybersecurity firm Trellix, in its third-quarter global report, has identified 25 major ransomwares in circulation. According to the Interpol’s first-ever Global Crime Trend report presented at its 90th General Assembly meeting in Delhi this October, ransomware was the second highest-ranking threat after money laundering, at 66%. It is also expected to increase the most (72%).

Which agencies in India deal with cyber-attacks?

Set up in 2004, the Indian Computer Emergency Response Team (CERT-In) is the national nodal agency that collects, analyses and circulates inputs on cyber-attacks; issues guidelines, advisories for preventive measures, forecasts and issues alerts; and takes measures to handle any significant cyber security event. It also imparts training to computer system managers. The National Cyber Security Coordinator, under the National Security Council Secretariat, coordinates with different agencies at the national level on cybersecurity issues, while the National Critical Information Infrastructure Protection Centre has been set up for the protection of national critical information infrastructure. According to the government, the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) has been launched for detection of malicious software programmes and to provide free tools to remove the same, while the National Cyber Coordination Centre works on creating awareness about existing and potential threats.

What are the best practices recommended by CERT-In?

Maintain regularly offline data backups — the backup data needs to be encrypted, immutable and should cover the entire organisation’s data infrastructure; regularly check data and code/scripts integrity; all accounts should have strong and unique passwords; have an account lockout policy; multi-factor authentication for all services to the extent possible; have separate administrative network from business processes with physical controls and Virtual Local Area Networks, no unnecessary access to administrative shares; a host-based firewall should be installed to only allow connections to such shares via server message block from a limited set of administrator machines; disable remote desktop connections; have the least-privileged accounts for remote desktop usage; have a proper Remote Desktop Protocol logging and configuration, and spam-proof email validation system; anti-virus software should be updated; users must not open attachments or URL links (even ostensibly benign) in unsolicited e-mails and use secure web browsers, etc.