Cybersecurity experts reveal what exactly happened in the ransomware attacks that took down 300 banks

The recent ransomware attack that basically took down over 300 small Indian banks and has rendered ATM usage and online payments has been attributed to the notorious RansomEXX group

What happened was that C-Edge Technologies Ltd., a joint venture between Tata Consultancy Services Ltd. and State Bank of India was attacked using a sophisticated variant of their ransomware according to a report by CloudSEK

The attack primarily affected Brontoo Technology Solutions, a significant collaborator with C-Edge. Following the attack, Brontoo filed a report with CertIn, the Indian Computer Emergency Response Team. CloudSEK’s threat research team identified that the attack chain began with a misconfigured Jenkins server, which the attackers exploited.

Key Findings from the CloudSEK Report
CloudSEK’s report highlighted several key findings. The ransomware group behind the attack is RansomEXX v2.0, which is notorious for targeting large organizations and demanding substantial ransom payments. The attack began with a misconfigured Jenkins server, exploiting a vulnerability (CVE-2024-23897) that allows attackers to gain secure shell access via port 22. This incident underscores the growing threat of supply chain attacks and the need for robust security measures across entire ecosystems.

RansomEXX v2.0 is an advanced variant of the RansomEXX ransomware, known for its sophisticated techniques and high ransom demands. Initially known as Defray777, RansomEXX rebranded in 2020 and has since evolved to counter increasing defensive measures. This variant shows enhanced encryption techniques, evasion tactics, and payload delivery methods.

The infection vectors and tactics used by RansomEXX v2.0 are diverse and effective. The initial access vectors include phishing emails, exploiting vulnerabilities in remote desktop protocols (RDP), and weaknesses in VPNs and other remote access services. After gaining initial access, the group uses tools like Cobalt Strike and Mimikatz to move laterally within a network. They employ known exploits and credential theft to gain higher privileges within the compromised environment.

Rise of the Superbug
RansomEXX v2.0 employs strong encryption algorithms such as RSA-2048 and AES-256, making file recovery without the decryption key virtually impossible. The ransomware targets critical files and backups, rendering them inaccessible. Before encryption, the group often exfiltrates data to use as leverage for double extortion. Victims receive detailed ransom notes with instructions for payment, typically in Bitcoin or other cryptocurrencies. The group is known to engage in negotiations, sometimes lowering ransom demands based on the victim’s response and perceived ability to pay.

RansomEXX has targeted a range of high-profile organizations across various sectors, including government agencies, healthcare providers, and multinational corporations. These attacks have resulted in significant operational disruptions, data breaches, and financial losses. Many victims have paid the ransom to quickly restore operations.

RansomEXX v2.0 continues to evolve, incorporating new techniques to bypass security measures. Recent reports indicate the use of stolen digital certificates to sign malware, increasing trust and reducing detection rates, says CloudSEK. There is also evidence of collaboration with other cybercriminal groups, sharing tools, techniques, and infrastructure.