A recent ransomware attack, attributed to the infamous RansomEXX group, has crippled over 300 small Indian banks, disrupting ATM services and online payments. The attack targeted C-Edge Technologies Ltd., a joint venture between Tata Consultancy Services Ltd. and State Bank of India, utilizing a sophisticated variant of their ransomware. This incident, as reported by CloudSEK, primarily impacted Brontoo Technology Solutions, a key collaborator with C-Edge. Following the attack, Brontoo filed a report with CertIn, the Indian Computer Emergency Response Team.
CloudSEK’s threat research team identified the attack’s origin in a misconfigured Jenkins server, which the attackers exploited. This incident underscores the rising threat of supply chain attacks, emphasizing the critical need for robust security measures across entire ecosystems.
The ransomware group responsible, RansomEXX v2.0, is notorious for targeting large organizations and demanding hefty ransom payments. Their modus operandi begins with exploiting vulnerabilities, such as CVE-2024-23897, in misconfigured servers, granting them secure shell access through port 22. This allows them to infiltrate the network and deploy their ransomware.
RansomEXX v2.0 is an advanced variant of the original RansomEXX ransomware, known for its sophisticated techniques and high ransom demands. Initially known as Defray777, it rebranded in 2020 and has continuously evolved to counter increasing defensive measures. This variant showcases enhanced encryption techniques, evasion tactics, and payload delivery methods, making it a formidable threat.
RansomEXX v2.0 employs diverse and effective infection vectors and tactics. Initial access is gained through phishing emails, exploiting vulnerabilities in remote desktop protocols (RDP), and exploiting weaknesses in VPNs and other remote access services. After gaining entry, the group utilizes tools like Cobalt Strike and Mimikatz to move laterally within the network. They exploit known vulnerabilities and steal credentials to gain higher privileges within the compromised environment.
The ransomware employs strong encryption algorithms, such as RSA-2048 and AES-256, making file recovery without the decryption key virtually impossible. It targets critical files and backups, rendering them inaccessible. Before encryption, the group often exfiltrates data to use as leverage for double extortion, a tactic that further increases the pressure on victims.
Victims receive detailed ransom notes with payment instructions, typically in Bitcoin or other cryptocurrencies. The group is known to engage in negotiations, sometimes lowering ransom demands based on the victim’s response and their perceived ability to pay. RansomEXX has targeted a wide range of high-profile organizations across diverse sectors, including government agencies, healthcare providers, and multinational corporations. These attacks have resulted in significant operational disruptions, data breaches, and substantial financial losses. Many victims have succumbed to the pressure and paid the ransom to swiftly restore operations.
RansomEXX v2.0 continues to evolve, adopting new techniques to bypass security measures. Recent reports indicate the use of stolen digital certificates to sign malware, increasing trust and hindering detection rates, as reported by CloudSEK. There is also evidence of collaboration with other cybercriminal groups, sharing tools, techniques, and infrastructure, making them a more formidable force.