skip to content

Cybersecurity experts reveal what exactly happened in the ransomware attacks that took down 300 banks

The recent ransomware attack that took down over 300 small Indian banks and has rendered ATM usage and online payments has been attributed to the notorious RansomEXX group.

According to a report by CloudSEK, C-Edge Technologies Ltd., a joint venture between Tata Consultancy Services Ltd. and State Bank of India, was attacked using a sophisticated variant of their ransomware.

The attack primarily affected Brontoo Technology Solutions, a significant collaborator with C-Edge. Following the attack, Brontoo filed a report with CertIn, the Indian Computer Emergency Response Team. CloudSEK’s threat research team identified that the attack chain began with a misconfigured Jenkins server, which the attackers exploited.

Key Findings from the CloudSEK Report
CloudSEK’s report highlighted several key findings. The ransomware group behind the attack is RansomEXX v2.0, notorious for targeting large organizations and demanding substantial ransom payments. The attack began with a misconfigured Jenkins server, exploiting a vulnerability (CVE-2024-23897) that allows attackers to gain secure shell access via port 22. This incident underscores the growing threat of supply chain attacks and the need for robust security measures across entire ecosystems.

RansomEXX v2.0 is an advanced variant of the RansomEXX ransomware known for its sophisticated techniques and high ransom demands. Initially known as Defray777, RansomEXX rebranded in 2020 and has since evolved to counter increasing defensive measures. This variant shows enhanced encryption techniques, evasion tactics, and payload delivery methods.

The infection vectors and tactics used by RansomEXX v2.0 are diverse and compelling. The initial access vectors include phishing emails, exploiting vulnerabilities in remote desktop protocols (RDP), and weaknesses in VPNs and other remote access services. After gaining initial access, the group uses tools like Cobalt Strike and Mimikatz to move laterally within a network. They employ known exploits and credential theft to gain higher privileges within the compromised environment.

Rise of the Superbug
RansomEXX v2.0 employs robust encryption algorithms such as RSA-2048 and AES-256, making file recovery without the decryption key virtually impossible. The ransomware targets critical files and backups, rendering them inaccessible. Before encryption, the group often exfiltrates data to use as leverage for double extortion. Victims receive detailed ransom notes with instructions for payment, typically in Bitcoin or other cryptocurrencies. The group is known to negotiate, sometimes lowering ransom demands based on the victim’s response and perceived ability to pay.

RansomEXX has targeted high-profile organizations across various sectors, including government agencies, healthcare providers, and multinational corporations. These attacks have resulted in significant operational disruptions, data breaches, and financial losses. Many victims have paid the ransom to restore operations quickly.

RansomEXX v2.0 continues to evolve, incorporating new techniques to bypass security measures. Recent reports indicate that using stolen digital certificates to sign malware increases trust and reduces detection rates, says CloudSEK. There is also evidence of collaboration with other cybercriminal groups, sharing tools, techniques, and infrastructure.

Share your love
Facebook
Twitter
LinkedIn
WhatsApp

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

error: Unauthorized Content Copy Is Not Allowed