The RansomEXX group was found to be behind the ransomware attacks that disrupted India’s banking ecosystem on Wednesday, affecting banks and payment providers, according to a report by cyber intelligence firm CloudSEK.
The attack reportedly prevented customers of around 300 small financial institutions across the country from accessing payment services such as cash withdrawals at ATMs and using UPI.
The attack was launched through a misconfiguration on a Jenkins server at Brontoo Technology Solutions, a subcontractor of C-Edge Technologies Ltd., a joint venture between Tata Consultancy Services Ltd. and State Bank of India.
This situation is still evolving, negotiations with the ransomware group are ongoing, and the data has not yet been published on their PR website.
CloudSEK published a report analyzing the attack chain and identifying the adversary’s tactics.
Key report findings:
Source of attack: The attack chain began with a misconfiguration of the Jenkins server and exploited a vulnerability (CVE-2024-23897) to gain unauthorized access. CVE-2024-23897 is a local file include vulnerability in Jenkins that allows an attacker to gain secure shell access.
Ransomware Groups: The attack is believed to be the work of RansomEXX v2.0, a variant of the RansomEXX ransomware group known for targeting large organizations and demanding large ransoms. The group is part of a broader trend in which ransomware developers are continually evolving their malware to evade security defenses and maximize their impact.
Infection vectors and tactics: Common vectors include phishing emails, exploitation of vulnerabilities in Remote Desktop Protocol, and exploitation of weaknesses in VPNs and other remote access services. After initial access, the group has used tools such as Cobalt Strike, Mimikatz and other administrative tools to move laterally within the network. They then leverage known exploits and credential theft to gain higher privileges within the compromised environment.
Payload and Encryption: RansomEXX v2.0 uses strong encryption algorithms such as RSA-2048 and AES-256, making file recovery virtually impossible without the decryption key. It targets important files and backups to render them inaccessible, and then steals the data before encrypting it to use as blackmail (double extortion).
Ransom Note: Victims receive a detailed ransom notice with payment instructions, typically in Bitcoin or other cryptocurrencies. RansomEXX is known to negotiate and may lower the ransom demand based on the victim’s reaction and perceived ability to pay.
Notable targets: RansomEXX has targeted high-profile organizations across a variety of sectors, including government agencies, healthcare providers, and businesses. Previous targets of the group include Trinidad and Tobago’s telecommunications services, the Peruvian Ministry of Defense, Kenya Airways, Ferrari, and Viva Air.
Impact and Response: The attack caused significant business disruption, data breaches and financial losses, with many victims forced to pay the ransom in order to quickly restore their operations.
Applicable technologies: RansomEXX v2.0 continues to evolve and incorporates new techniques to evade security measures, with recent reports indicating that stolen digital certificates are being used to sign the malware, making it more trustworthy and reducing detection rates.
Key Points: According to CloudSEK, the attack highlighted significant vulnerabilities in current enterprise systems and threat modeling practices: while large organizations with strong cybersecurity are difficult to compromise, attackers exploit the path of least resistance, and supply chain attacks are becoming increasingly prevalent.
The report suggests that organizations should strengthen their security posture by regularly updating and patching their systems, especially those involved in critical infrastructure. Major organizations should maintain up-to-date Jenkins servers, while all critical vendors should also ensure their servers are up-to-date.
