India second-most targeted by ransomware: Palo Alto Networks research

Ransomware attacks are increasing in number and intensity in every part of the globe. According to a new report published on Tuesday, India is now the second most targeted country by ransomware attacks after Australia in the Asia Pacific and Japan (APJ) region. 

The report titled: 'The 2023 Unit 42 Ransomware and Extortion', published by American cyber security firm Palo Alto Networks' Unit 42 Threat Intelligence team, said that India has moved a spot higher in 2022 from a year ago to occupy the second position, with over 36 ransomware attacks in the year, whereas Australia occupied the top spot with 45. At the third position is Japan with 32 ransomware attacks, followed by Taiwan, Thailand and China are the other countries that top Palo Alto Networks' chart with the maximum ransomware attacks in 2022.  

Globally, India occupies the 10th spot with the US leading in ransomware attacks with 1,118 cases, followed by the United Kingdom, Germany, Canada and France. Organisations based in the US were naturally the most severely publicly affected, with 42% of the observed leaks in 2022, followed by Germany and the UK, accounting for nearly 5% each. 

The study also said that in India, Maharashtra is found to be the most-targeted state with 36% attacks, followed by New Delhi, Uttar Pradesh, Tamil Nadu, West Bengal and Karnataka, among others. Sector wise, manufacturing, construction, and professional and legal services are the most targeted industries in India, said that the report and identified Lockbit 2.0, BianLian, and Stormous as the most active ransomware groups. 

Globally, the study found that ransomware and extortion actors are utilising more aggressive tactics to pressure organisations, with harassment being involved 20 times more often than in 2021. This harassment is typically carried out via phone calls and emails targeting a specific individual, often in the C-suite, or even customers, to pressure them into paying a ransom demand.  

Ransomware demands continued to be a pain point for organizations last year, with payments as high as $7 million in cases that Unit 42 observed. As Wendi Whitmore, senior vice president and head of Unit 42 at Palo Alto Networks said, “Harassment has been involved in one of every five ransomware cases we’ve investigated recently, showing the lengths that these groups are willing to go to coerce a payday. Many are going so far as to leverage customer information that has been stolen to harass them and try to force the organisation's hand into payment.” 

The median demand was $650,000, while the median payment was $350,000 indicating that effective negotiation can drive down actual payments. The highest ransom demanded in 2022 was as high as $50 million or ₹4.1 billion, it said. 

Also, researchers have seen an average of seven new ransomware victims posted on leak sites — equating to one new victim every four hours. A data leak site is a website created solely for the purpose of selling stolen data obtained after a successful ransomware attack. In fact, in 53% of those incidents involving negotiation, ransomware groups have threatened to leak data stolen from organisations on their leak site websites, the study found, adding that established groups like BlackCat, LockBit and others contributed to 57% of the leaks 

According to a report released on February 8, by cyber-security firm CloudSEK, India was ranked the highest attacked country by hackers in Asia and the second-most attacked country globally (after the US) in 2022.  

The number of cyber-attacks on India increased by 24.3% last year, the study said, with Asia-Pacific pegged as the most targeted region globally, receiving 20.4% of all attacks in 2021 and nearly one-fourth (24%) of all attacks in 2022, said the CloudSEK report, adding that North America, Asia-Pacific and Europe remained the most targeted regions in both the years 2021 and 2022. 

Needless to say, 2022 saw some of the biggest ransomware attacks in India wherein the country's premier institution, All India Institute of Medical Science (AIIMS), was hit by a ransomware attack. The AIIMS server went offline for about two weeks before authorities recovered data and systems went online. Following the cyberattack on AIIMS, officials at Safdarjung Hospital, another Delhi-based government hospital had suffered a cyberattack in mid-November. The hospital servers went down for around 12 hours due to the attack. However, the National Informatics Centre (NIC) was able to revive the systems on the same day. 

In October, Tata Power, one of the biggest power suppliers in the country which serves 12 million consumers, said that its IT systems were hit by a cyber-attack. The firm said at that time that it had taken measures to “retrieve and restore” the systems. Later, a Russia-linked Hive ransomware gang claimed responsibility for the attack on Tata Power and leaked employee data it had stolen during the attack.