Preventing ransomware

The alarming rise in incidents of ransomware attacks in India has sounded the alarm bell for cyber security experts to come up with effective preventive measures to keep the country's cyberspace and vital installations safe and secure. The Indian Computer Emergency Response Team (CERT-In) of the Ministry of Electronics and Information Technology has revealed a 51 per cent increase in ransomware incidents in the first half of this year compared to the previous year which is indicative of the country's cyber threat landscape. Building awareness of the response mechanism developed by the CERT-In is crucial to protect cyber users from falling prey to ransomware gangs and negotiating and paying the ransom for the decryption key to regain access to files on their system and networks. The India Ransomware Report, H1-2022 released by the Cert-In last week states that the majority of the attacks were observed in the Data centres/IT/ITeS sector followed by the manufacturing and finance sectors. Ransomware groups have also targeted critical infrastructure, including oil and gas, transport, and power, it adds. Public sector oil company-Oil India Limited suffered a critical ransomware attack at its headquarters in Duliajan in April and the cyber attackers demanding a ransom of over Rs 57 crore through a note from an infected computer brought to light the ransomware threat perception for the country's vital installations. The ransomware attack caused huge financial loss to OIL as it led to an outage of network, server and clients' computers and affected the business through the IT system. The CERT-In report highlights that the "drive-by download" is the common tactic in citizen-centric ransomware cases which refers to the involuntary download of a malicious code onto their computers or mobile phones through the opening of an email attachment, or clicking a link, pop-up window exposing their systems to cyber threats. The CERT-In report has listed steps to be followed to respond to a ransomware attack and giving wide publicity is critical to boosting confidence among potential victims to ignore ransom demands. According to the advisory, the first step in case of any suspected ransomware incident is immediately disconnecting and isolating infected systems from the network and taking the network offline if several systems or subnetworks appear to be impacted. Reporting the incident immediately to CERT-In or other regulatory agencies and lodging a First Information Report with law enforcement agencies is essential to get timely assistance and help the authorities concerned to take prompt action. This step is followed by three other steps of determining the scope of infection for unauthorized access and signs of encryption, determining the ransomware strain and following with a host of response measures which include among others resetting all the account credentials that are possibly compromised. Threat actors are continuing to exploit known vulnerabilities, compromised credentials of remote access services and phishing campaigns for initial access into the infrastructure of organizations as well as citizens, the report states. The National nodal agency to respond to computer security incidents in the country also issued a set of FAQs in April on cyber security directions aimed at ensuring open, safe, trusted and accountable internet in India for about 80 crores of current internet users which are projected to increase to 120 crores over the next few years. These directions are intended to mandate cyber security best practices by the service providers and organizations so that the safety of users' data is ensured and trusted services are available to users who continuously reads the documents. Explaining the rationale behind the directions, CERT-In states that cyber incidents can affect one or many entities, therefore, it is imperative that all incidents are tracked and investigated to deduce inter-linkages between them to provide safe, trusted Internet usage to citizens and implementation of the measures mandated in these directions will facilitate timely detection and mitigation of breaches and effective investigation of cybercrimes. The obligation of reporting cyber security incidents to CERT-In is statutory and overrides any confidentiality clause in any contract and act of non-compliance may attract penal provisions of the Information Technology Act, 2000 if non-compliance is deliberate. The FAQs cover the issue of the right to informational privacy of individuals and explain that it is not affected by these directions as these do not envisage seeking information by CERT-In from the service providers continuously as a standing arrangement. CERT-In may seek information from service providers in case of cybersecurity incidents and cyber incidents, on a case-to-case basis, for discharge of its statutory obligations to enhance cyber security in the country. The directions speak volumes about the challenges of building the cyber security architecture in the country. When threats of increasing ransomware attacks are real, awareness among internet users can ensure voluntary reporting but any incident of cyber attacks going unreported will only keep alive the threats of dangerous ransomware attacks.