Ransomware incidents in India have gone up by 53 per cent in 2022 over the incidents reported in the previous year, according to the CERT-In, the Indian Computer Emergency Response Team that works under the Union Ministry of Electronics and Information Technology.

The information technology and IT-enabled services sector was the most impacted sector. This was followed by the finance and manufacturing sectors.

“Ransomware players targetted critical infrastructure organisations and disrupted critical services in order to pressurise and extract ransom payments,” CERT-In said in the Ransomware Report-2022.

Lockbit was the most prevalent ransomware variant in India, followed by Makop and DJVU/Stop ransomware. “Many new variants such as Vice Society and BlueSky were noticed in 2022,” it said.

“New ransomware variants emerged last year, as several profit-driven cybercriminals started their own campaigns aided by leaded source codes of established groups and the availability of readymade tool kits,” the report added.

Ransomware gangs have broadened their attacks across critical sectors with increased frequency and complexity of the attacks.

Stating that the Ransomware-as-a-service ecosystem (RaaS) ecosystem is gaining strength, it said double and triple extortion tactics are being used to cause business disruption, forcing the victim to pay the ransom.

Makop and Phobos Ransomware families mainly targeted medium and small organisations, while Djvu/Stop variants continued to hold the sway when it comes to attacks on individuals.

Most of the attacks seem to be happening because of organisations and people not updating the patches for some known vulnerabilities.

Key trends

The report found some interesting trends in the attacks. Instead of encrypting the whole computer or a complete file, cybercriminals are encrypting just a portion of a file to save time and effort. The attackers are using legitimate tools available in sources like GitHub during the infection phases.

While new versions of toolkits with enhancing attack capabilities, hackers are using heavy obfuscation techniques to dodge detections and trigger reverse engineering attempts.

Some others are resorting to low-profile attacks to avoid the attention of law-enforcing agencies.

What should organisations do?

With hackers getting more sophisticated, the CERT-In wants organisations to buckle up and increase surveillance.

Organisations should have clear visibility on the attack surface.

  • Develop and test ransomware incident response plan.
  • Plan and implement policies for inventory management.
  • Roll out systematic patch management.
  • Prioritise patching of public-facing applications.
  • Implement identity and access management.
  • Have a proper backup management system and business continuity plan.