The Rise of Ransomware: Take a peek into AIIMS Cyber Attack, and how organizations should proactively counter such attacks?

Before understanding the countermeasures, let’s understand the sequence of events pertaining to the Cyber Attacks on All India Institute of Medical Sciences (AIIMS), a premier public medical research institution and a hospital based in New Delhi.

The cyber-attack on AIIMS was reported on 23rd November 2022, this lasted for more than 15 days & only by 6th December 2022,that the hospital was restored to normal, AIIMS confirmed that the trial runs of the e-Hospital server were successful, and most of the lost data had been retrieved. As a result of the incident, several patient care services, including registration, admission, billing, and discharge, appointment systems were inaccessible. Even the ‘e-Hospital,’ application system of the National Informatics Centre (NIC) was impacted by this incident & the hospital’s operations had to run manually to meet the immediate demands.

This ransomware attack could have corrupted huge data and medical records, including Personally Identifiable Information (PII) of patients and healthcare workers, and administrative records kept on blood donors, ambulances, vaccination, caregivers, employee login credentials, sensitive data, and medical records of VIPs. This kind of data is usually sold on the dark web by hackers.

The extent of the attack was so intense that multiple agencies like Delhi Police, the Centre’s Computer Emergency Response Team (CERT), the Ministry of Home Affairs, the Forensic Science Laboratory (FSL), and even the National Investigation Agency (NIA) sprang into action & the findings as reported by various media sources are as below

• IP addresses of two emails, which were identified from the headers of files that were encrypted by the hackers, originated from Hong Kong and China’s Henan province
• The hackers had two Protonmail addresses – “dog2398” and “mouse63209”.
• The targeted servers were infected with three ransomware: Wammacry, Mimikatz, and Trojan.

More could be revealed in times to come, but organizations must take the following steps to proactively prepare against cyber-attacks:

• Develop a comprehensive cybersecurity policy: A comprehensive cybersecurity policy should outline the organization’s approach to cybersecurity, including the roles and responsibilities of employees, the procedures for responding to security incidents, and the procedures for conducting security assessments. The policy should also include guidelines for protecting sensitive information, such as customer data and intellectual property, and for ensuring the security of the organization’s IT infrastructure.
• Conduct regular security assessments: Regular security assessments can help organizations identify potential security weaknesses and take steps to address them before they can be exploited by attackers. Assessments can be performed internally, or with the assistance of a third-party security consultant. Some common types of security assessments include penetration testing, vulnerability scanning, and security audits.
• Train employees: Employee awareness and training are crucial in the fight against cyber-attacks. Organizations should educate employees on the importance of cyber security, safe browsing habits, and how to identify and respond to phishing attempts. This can be achieved through regular training sessions, e-learning programs, and simulated phishing exercises.
• Implement multi-factor authentication: Multi-factor authentication (MFA) provides an additional layer of security beyond a simple password, making it more difficult for attackers to gain access to sensitive information. MFA can be implemented for all users, or just for those with access to sensitive information, such as administrators.
• Keep software up-to-date: Regular software updates can help fix security vulnerabilities, so it’s important to keep all software up-to-date to reduce the risk of successful cyber-attacks. This includes not only the operating system and applications, but also security software such as antivirus and firewall applications.
• Use encryption: Encrypting sensitive data can help prevent unauthorized access, even if the data is stolen or intercepted during transit. Organizations should use encryption for sensitive data in transit, such as when transmitting data over the internet, and for sensitive data at rest, such as data stored on servers and end-user devices.
• Backup data regularly: Regular backups can help organizations recover quickly from a cyber-attack or other data loss event. Backups should be stored off-site, or in the cloud, to ensure that they are not affected by a security incident at the primary location.
• Collaborate with other organizations: Sharing threat intelligence and best practices with other organizations can help improve overall security posture and respond more effectively to cyber-attacks. This can be achieved through information sharing initiatives, such as information sharing and analysis centres (ISACs), or through collaboration with industry groups and law enforcement agencies.
• Consider insurance coverage: Organizations may want to consider purchasing cyber insurance coverage to help mitigate the financial impact of a successful cyber-attack. Cyber insurance policies can provide coverage for costs such as incident response, legal fees, and compensation for customers whose data is compromised.

By taking these steps, organizations can proactively prepare against cyber-attacks and reduce the risk of a successful attack. Additionally, in addition to the general cyber security measures, organizations can also implement specific network and data security measures to protect their IT infrastructure and sensitive data. Some of these measures include:

1. Firewalls: Firewalls can help protect the organization’s network from unauthorized access by filtering incoming and outgoing traffic based on pre-defined rules. Organizations should consider implementing both perimeter firewalls and host-based firewalls to provide multiple layers of protection. Would highly recommend you to even consider Next-generation firewalls (NGFWs) in place of  traditional firewalls as they come with few some limitations in terms of their ability to detect and prevent modern cyber threats.
2. Virtual Private Networks (VPNs): VPNs can help secure communications between remote workers and the organization’s network by encrypting data in transit. This can help prevent unauthorized access to sensitive data, such as login credentials and confidential documents.
3. Access controls: Access controls can help ensure that only authorized users have access to sensitive data and systems. This can be achieved through the use of user authentication, such as passwords and biometrics, and through the use of role-based access controls, which restrict access to specific systems and data based on an individual’s role within the organization.
4. Data Loss Prevention (DLP): DLP solutions can help prevent the accidental or unauthorized release of sensitive information, such as credit card numbers and Social Security numbers. DLP solutions can be implemented through the use of software agents, or through the integration of DLP capabilities into existing security solutions, such as firewalls and email gateways.
5. Intrusion Detection and Prevention Systems (IDS/IPS): IDS/IPS solutions can help detect and prevent cyber-attacks by analysing network traffic and identifying suspicious activity. IDS/IPS solutions can be implemented as hardware devices, or as software applications running on servers or end-user devices.
6. Endpoint protection: Endpoint protection solutions, such as antivirus and anti-malware software, can help protect end-user devices from cyber-attacks by identifying and blocking malicious software and activities. Organizations should ensure that all end-user devices, including laptops, smartphones, and tablets, are protected by up-to-date endpoint protection software.
7. Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions: Unlike a end point security solutions, EDR & XDR solutions can help organizations detect and respond to cyber threats more effectively, and can complement other security measures, such as firewalls, intrusion detection systems, and anti-malware software.

By implementing these network and data security measures, organizations can further strengthen their defence against cyber-attacks and protect sensitive data. It’s important to regularly review and update these measures to ensure that they remain effective in the face of changing cyber security threats.