Among the top cyber-threats of today are ransomware and distributed denial of service (DDOS) attacks, much as they have been over the past decade. Along the way, they have grown in sophistication and their success rate has spawned a flourishing ecosystem. Ransomware as a Service (RaaS), the subscription based business model has been around for many years now, but has become a more sophisticated ecosystem with the addition of new subsets such as negotiators, threat intelligence analysts and public relations specialists.1
Ransomware attacks have devastating consequences for their victims, who have ranged from small companies, to large corporations to entire countries. Critical sectors such as energy, healthcare and transportation are heavily targeted since these sectors are under pressure to get their systems back online, and attacks on them can have cascading effects. Whilst a majority of attacks have been carried out by criminal elements, rogue nation-states have also carried out such attacks, to cause disruption in countries they consider hostile, or to mask their espionage activities. Knowing the antecedents of the attackers in the immediate aftermath of an attack is not easy, given the scope for misrepresentation in cyberspace.
The AIIMS ransomware attack in November 2022 is a case in point. Five servers of AIIMS containing 1.3 Tera Bytes of data were encrypted, leading to a complete breakdown in online services, including registration of patients, out-patient registrations, and laboratory services. According to news reports, over 4 million patient records were also compromised. It took more than two weeks to fully restore services as more than 4,000 computers had to be scrubbed free of malware.
The Indian Computer Emergency Response Team (CERT-IN), Intelligence Fusion and Strategic Operations (IFSO) of Delhi Police, Indian Cybercrime Coordination Centre (ICCC), Intelligence Bureau (IB), Central Bureau of Investigation (CBI), National Forensic Sciences University, National Critical Information Infrastructure Protection Centre (NCIIPC), and the National Investigation Agency (NIA) were roped in to investigate the attack.2
The IFSO requested the CBI to write to INTERPOL to get details about IP addresses “of email IDs from Henan in China and Hong Kong that were used to launch the cyber-attack”.3 The Delhi Police also filed a case under Section 66(F) of the IT Amendment Act 2008 which deals with cyber terrorism.4
While the jury is still out on who was responsible for the attack, nonetheless, this episode brings out the need for more capacity-building as attacks grow more complex, the need for information sharing, both domestically and international, and legal frameworks that take cognizance of these attacks which are in a different category from run-of-the mill attacks. According to Lt Gen Rajesh Pant (Retd), National Cyber Security Co-ordinator at the time of the attack, it brought out several lacunae in the existing national cyber security framework and incident response mechanism. He also called for the setting up of a nodal ministry to co-ordinate responses.5
In terms of international cooperation, for a brief period, it looked as if the ransomware threat had been dealt a crushing blow when the United States took a number of initiatives along with cybersecurity companies to take down the infrastructure of the major ransomware gangs. Happening just before the Russia–Ukraine war, this also saw some cooperation from the Russian government by way of arrests. However, these gangs have resurfaced subsequently and also rebuilt their infrastructure.
The United States also led efforts to create an International Counter Ransomware Initiative (ICRI) in 2021, holding a virtual meeting of 37 countries. An overwhelming majority of the participants were from Europe, with a smattering from the rest of the world. The participants vowed to “increase the resilience of all CRI partners, disrupt cyber criminals, counter illicit finance, build private sector partnerships, and cooperate globally to address this challenge”. Five working groups were also established in different areas; resilience (co-led by Lithuania and India), disruption (led by Australia), counter illicit finance (led by the UK and Singapore), public-private partnership (led by Spain), and diplomacy (led by Germany).
A second summit was convened by the White House in 2022, with the added addition of Belgium. Among the initiatives announced after this meeting were the establishment of an International Counter Ransomware Task Force (ICRTF) led by Australia with the mandate to “coordinate resilience, disruption, and counter illicit finance activities”, the creation of a fusion cell at the Regional Cyber Defense Centre (RCDC) in Kaunas, Lithuania to share technical information, and creation of an investigator’s toolkit to help law enforcement authorities. The participating countries also undertook to have biannual counter ransomware exercises.
A third iteration of the summit is expected to take place at the end of October 2023 with a substantially expanded cohort of countries numbering around forty-seven. According to reports, the US is expected to urge countries to publicly commit to not pay ransom.6 This assumes significance since attacks on government networks and systems have been increasing exponentially. Just in the past month, Sri Lanka and Columbia have faced disruptions after their networks were struck by ransomware. Prior to that, Costa Rica saw its government functioning come to a standstill after a ransomware attack targeted nearly 30 ministries and government agencies. Though it did not pay any ransom, the continued disruption to its services led to estimated economic losses of US$ 30 million a day and declaration of a state of emergency by the President.
Whilst large and small countries are equally vulnerable to ransomware and other cyber-attacks, the latter have much fewer resources and capacity to withstand the debilitating effects of these attacks, as seen in the case of Costa Rica which had to ask for assistance from the US, Spain and Microsoft to help defend against these attacks.7 Subsequently, the US provided US$ 25 million to strengthen Costa Rica’s cybersecurity.8
At the national level, there is a need to formulate a ransomware strategy since this cybercrime threat affects governments, businesses and individuals. Going by the adage “if you can’t measure it, you can’t manage it”, the current incident reporting scheme should prioritise reporting of ransomware attacks in its entirety, incorporating data on attackers, actions taken, and resolution. As the response to the AIIMS ransomware attack showed, multiple agencies will be willy-nilly involved in investigation efforts, and a multi-agency task force with expertise on ransomware could be put in place based on the learnings from this incident. A single point for complaints would also ensure a quicker response and faster mitigation and handholding, especially for smaller and medium enterprises when it comes to dealing with ransomware demands.
While the efforts of the ICRI are laudable, three years on, it hardly seems to have made a dent in the tsunami of ransomware attacks taking place around the world, and the forthcoming meeting should provide an opportunity for introspection on just why it is so. Pious pledges to not to pay ransom on the part of countries will not achieve much unless they are accompanied by more vigourous efforts to battle the scourge of ransomware. If this model of cooperation works, it could provide a template to have a focused response to other threats in the cyber realm.
Views expressed are of the author and do not necessarily reflect the views of the Manohar Parrikar IDSA or of the Government of India.