AIIMS Ransomware Attack Paradigm

Overview Of The Attack :

The All-India Institute of Medical Sciences in Delhi purportedly came under a cyber-attack on November 23 that rendered its systems unusable according to the sources. Due To the cyber-attack, the daily operation at AIIMS is Interrupted as the data of the patients and the e-services are not available to staff and the patients and everything is done manually. The Severs and the computers are infected, and all files were locked by encrypting them into .bak9 extension files and all the AIIMS Systems are using LINUX as the default Operating System as per the sources the infection itself began from a Windows-based terminal which was unscathed, the analysis also found. The Attackers are demanding certain Ransome to decrypt the files

DATE OF THE ATTACK: 23-11-2022, 07:07:49

TYPE OF ATTACK: Ransomware Attack

CVE NUMBER: CVE-2022-23714

NAME OF THE VICTIM ORGANIZATION: AIIMS (All India Insitute of Medical Science)

TYPE OF THE SECTOR: Medical Sector

TOOL USED BY THE VICTIM ORGANIZATION: Mainstay hospital management tool, e-Hospital

USED OS IN THE VICTIM ORGANIZATION: Linux

AFFECTED SERVERS: 2 Application Servers, 1 Database Server,1 Backup Server

PRIMARY POINT OF THE ATTACK: The infection itself began from a Windows-based terminal which was unscathed, the analysis also found.

FILES ENCRYPTED INTO: .bak9 extension files

EMAILS USED BY THE ATTACKERS: dogA2398@protonmail.com and mouse63209@protonmail.com

DATA MAY HAVE BEEN LEAKED: 3 To 4 Crores patient’s database, which includes the health records of India’s top politicians but also blocked access to its e-hospital server and daily 80000 outpatients

DEMANDED RANSOM: 200 Crores in form of crypto

AIIMS TOTAL SERVERS: 40 Physical servers and 100 virtual servers (AIIMS servers were running on software called Zimbra that specializes in email services (Zimbra is owned by the U.S.-based Synacor))

Cause Of The Attack :

The inspection team said that almost government network instruments e.g firewalls, routers, and switches (managed and unmanaged) are running in a default factory setting which means their username and password aren’t charged after being installed, this is a serious breach that shouldn’t happen at all. There’re also loopholes observed where important data are stored online but the authority hasn’t made provision for a data backup facilities this including server mirroring. Tangible hackers could easily access the internal network by bypassing easy passwords which are rare in govt networks, every password must be changed over 2 to 3 months. The system administrator must ensure they don’t respond to insecure emails containing stealth cipher URLs which can be lethal injectors for critical malware, trojan, or ransomware. Last but not least mismanaged multicast ports are a major threat to data hacking which gives full access to the gateway inside despite having multiple secured layers of topography.

Ransomware Attack :

Ransomware is a type of malware that blocks access to data or a computer system and threatens to publish it. Once hacked, this data becomes encrypted until demands of the hackers are met.

Report On AIIMS Ransomware Attack :

After a cyberattack rendered all of the servers at the All-India Institute of Medical Science (AIIMS), Delhi, they were compelled to travel back in time.

It’s unknown who launched the attack; however, the Delhi Police denied a number of stories that said hackers wanted to be freed in exchange for a 200-crore rupee cryptocurrency ransom. On November 23, 2022, a breach in the internal systems of AIIMS was discovered. The hospital’s electronic patient management system was severely damaged not long after. The intrusion was acknowledged by AIIMS in a statement, and it added that due to the size of the data breach, data restoration is taking time.

What Went Wrong At AIIMS?

The hospital’s electronic patient management system was severely damaged not long after. In a statement, AIIMS acknowledged the breach and said that data restoration was taking some time due to the hospital’s extensive use of servers, which accommodate 15 lakh outpatient cases and 80,000 inpatient cases annually.

Since it contains every patient’s personal information, including name, age, sex, address, phone number, and medical history, this data is particularly sensitive. If they haven’t already, hackers might easily sell this private information on the Dark Web.

Given that AIIMS has stated that some of their files are encrypted, a ransomware attack may be to blame. One of the ransomware organizations that specifically target Indian organizations could have been after AIIMS.

On December 1, 2022, AIIMS servers were still unavailable to users. However, officials announced on Tuesday that the e-hospital data had been recovered and that they are currently sanitizing the servers before turning them back on.

Far-reaching effects of this cyberattack

Have you been wondering how this hack affects the general public? Besides the aforementioned threat of data leak, the hack has caused a rush at AIIMS. According to a PTI report, long queues rocked AIIMS as its online appointment system remained offline.

The hospital had to deploy additional staff to help with the rush. All of the hospital’s services, including outpatient and in-patient departments and labs continue to operate manually. Billing counters and diagnostic centers saw long queues after the server outage continued after a week.

On November 25, Delhi Police’s Intelligence Fusion and Strategic Operations (IFSO) unit filed registered a case of extortion and cyber terrorism.

AIIMS officials have reportedly roped in IT companies and bodies to probe the ransomware attack. An AIIMS official told Mint that various agencies in talks with the hospital include the National Investigation Agency, India Computer Emergency Response Team (CERT-IN), the Delhi Police, the Defense Research and Development Organization, the Intelligence Bureau, the Central Bureau of Investigation, and the Ministry of Home Affairs.

What’s Happening At AIIMS Now?

Now, AIIMS will have to go through each system on the network to ensure there is no malware left. This is a long-drawn process, and with a hack of this gravity, it could still take a long time before servers are back on.

Data of about 3-4 crore patients may have been leaked in this hack, PTI reported, adding that hackers remained adamant on their Rs. 200 crore demand.

For now, internet services remain blocked at AIIMS. “AIIMS has around 40 physical and 100 virtual servers. Five have shown signs of virus infection. These servers are also being set up for scanning and new servers with updated configurations are being purchased as most servers at AIIMS were end of life/end of support,” a source was cited by PTI.

What Can Institutions Do To Avoid Such Attacks?

“Given the scale and significance of the healthcare industry, it is vital for institutions, employees, and healthcare professionals to ensure that the data they gather and store is not leaked or exploited by cybercriminals,”.

Listed out precautions that healthcare organizations can take to prevent such attacks in the future:

Creating awareness among users regarding cyber-attacks, online scams, and phishing campaigns.
Enacting strong password policies and enabling multi-factor authentication (MFA).
Updating and patching software, systems, and networks regularly.
Maintaining multiple backups – both online and offline in separate and secure locations.
Monitoring logs for unusual traffic and activity to websites and other applications.
Blocking illegitimate IP addresses and deactivating port-forwarding using network firewalls.
Performing real-time monitoring of the internet to identify and mitigate low-hanging threats such as misconfigured apps, exposed data and leaked accesses that are leveraged by cybercriminals to carry out large-scale attacks.
Avoid clicking on suspicious emails, messages, and links.
Refrain from downloading or installing unverified apps.
Use strong passwords and enable multi-factor authentication (MFA) across accounts.