Ransomware gangs turn attention to Indian SMBs

Even as small businesses in India struggle to comply with the Indian Computer Emergency Team’s (CERT-In) new cybersecurity rules, cyber extortionists from around the world are turning their attention to them. According to a report published by security firm NordLocker on Tuesday, small businesses (with up to 500 employees) accounted for 54% of ransomware attacks in the country between January 2020 and July 2022.

Cyber extortionists, often referred to as ransomware gangs, are now also providing ransomware-as-a-service (RaaS). In a ransomware attack, hackers break into a company’s network and block access to crucial and sensitive files, demanding a ransom to return that access. The company and its employees are blocked from accessing any of the files till the ransom is paid, resulting in business disruption and huge financial loss.

A security researcher working with a leading consulting firm told Mint that such gangs run like any other businesses. They have multiple departments like HR, finance, administrators, coders and researchers. They even have policies on how its hackers should process their code, and share best practices to keep the group’s members hidden. 

For instance, in December last year, a small town book publisher from West Bengal was hit with one such attack. The CEO of the firm, who requested anonymity, said that they have been paying the ransom in installments and haven't been able to restore all of its data in the eight months since. An October 2021 report from Gartner had warned that on an average only 65% of data is recovered from such attacks, and only 8% of organizations recover all of their data.

Similarly, the IT head of a healthcare solution provider that runs a chain of diagnostic centres across eastern India, said that its entire customer database was destroyed in an attack during the peak of the pandemic. The company informed the CERT-In, but had to rework its entire database and software before getting back to regular functions.

According to Nordlocker’s report, Lockbit, Rangar Locker, BlackCat, Egregor and the Comming Project were the top ransomware gangs operating in the country. These are among the best known and most active ransomware gangs around the world. 

For instance, in March this year, Madrid-based customer relationship management (CRM) services provider Atento, said in a report that a Lockbit attack on the firm from October 2021 resulted in revenue losses of $34.8 million. LockBit and Ragnar Locker were the most active ransomware gangs in India, accounting for 13% and 7.8% of attacks, respectively, the report said.

According to Tomas Smalakys, CTO of NordLocker, ransomware gangs pick their target based on their propensity to pay the ransom, which is determined by the company's “importance in supply chain” networks and the amount of “confidential information” it is handling. In many cases, it is determined by the “depth of the company’s pockets,” added Smalakys. 

Manufacturing firms in India today cater to large businesses overseas, especially in sectors like electronics and appliances. In fact, the report noted that 41.5% of the targeted companies had annual revenues between ₹800 crore and ₹4000 crore. In August, the CERT-In said that ransomware attacks on Indian organizations increased by 51% in the first half of this year.

“The ransomware situation in India is alarming. The numbers of victims, ransom payments, and the impact of these attacks continued to rise during the first half of 2022, at considerable cost,” warned Parag Khurana, country manager, India & SAARC at Barracuda Networks. He said that Phobos is another ransomware that targets small businesses in India.

Others include Conti, which extorted $180 million from victims worldwide in 2021, according to a report by research firm Chainalysis. 

A single cyberattack through RaaS often involves multiple cybercriminals working at different stages, making it difficult to hold any single group accountable for an attack. “Sometimes two separate ransomware gangs will collaborate on a cyberattack, known as double encryption. More and more ransomware victims are finding they are being attacked by multiple gangs, with attacks taking place in a matter of days or weeks apart,” said Prateek Bhajanka, security expert and technology strategist for cyber security firm SentinelOne. 

Subbu Iyer, regional director for India and ASEAN, at Forescout Technologies, attributed the increase in ransomware to the ongoing “digital transformation wave” even as the cybersecurity teams in most companies are “perennially understaffed and under-resourced.”

“Poor knowledge of digitization, lack of cyber skills, and inadequately trained cybersecurity professionals are some of the factors leading to elevated cyber threats,” he added.