New Delhi: Cybersecurity expert Ritesh Bhatia is still puzzled over last month’s cyberattack on the All India Institute of Medical Sciences (AIIMS), Delhi, which led to a shutdown of the hospital’s servers on 23 November.
AIIMS, India’s premier medical institution, is yet to restore services.
Bhatia, a cybersecurity expert based in Mumbai who has seen everything — from cyberstalking and financial espionage to sextortion — during his career spanning 21 years, is especially mystified by a line in a news report: “Antivirus solutions have been organised for servers and computers,” the report quotes an official source from the hospital.
“So does this mean AIIMS, which cares for our national leaders, never used something as basic as an antivirus to protect its computer systems?” asks Bhatia, flabbergasted.
Cybersecurity experts like Bhatia ThePrint spoke to are flabbergasted by the official response since the attack. The government is yet to issue a statement either acknowledging or denying the attack.
“The AIIMS Delhi cyberattack is among [the] biggest in India, why aren’t we taking it more seriously?” Bhatia asks.
Gulshan Rai, India’s first cybersecurity head with the Prime Minister’s Office (PMO) from 2015 to 2019, calls this the most serious attack he has witnessed on an Indian institution.
“In my time at the PMO or CERT-In (Indian Computer Emergency Response Team) I did not experience an attack on this scale,” said Rai, who has also served as the director general of CERT-In, the country’s nodal agency to deal with cybersecurity threats.
What’s even more puzzling is the opaqueness around the attack, say experts.
“So what exactly happened? We’re not even sure if it was ransomware or it was another kind of cyberattack,” Bhatia said, referring to the report, which also claimed that hackers had demanded a ransom of Rs 200 crore.
The Delhi Police, though, has since denied the ransom claim.
ThePrint reached CERT-In, its current director general Sanjay Bahl and National Cyber Security Coordinator Lt Gen. (Dr) Rajesh Pant (Retd) via email, but did not receive a response at the time of publishing this report.
Also Read: People are no longer in charge of their cybersecurity. Cloud apps are the culprit
‘Hard to decrypt’ ransomware
Sunny Nehra, a Delhi-based cybersecurity researcher and founder of Secure Your Hacks, claims, citing “confidential contacts” at a government agency investigating the case, that it was indeed ransomware — that too one that’s “hard to decrypt”.
Ransomware is malicious software that can be used to encrypt a victim’s computer files, essentially locking the victim out of their own system until a ransom is paid. A user trying to open files locked and encrypted by ransomware will keep getting a message prompt demanding a ransom or showing an email address to contact the hacker.
A victim of a ransomware attack needs a ‘private key’ — a string of alphanumeric characters — to unlock the files. To generate this key, the victim could either pay the ransom or figure it out on their own.
“This particular ransomware is a new kind and very well designed so it’s hard to decrypt and unlock the files,” said Nehra, who has worked with law enforcement agencies on cybercrimes, to ThePrint.
“It is encrypting all copies of victim data it can find, including the backup copies of data. This ransomware is similar to the ransomware called Lockbit 3.0 and is hard to decrypt even via memory analysis methods,” Nehra added.
Memory analysis is a method that involves studying the part of the computer where short-term data is stored while the device is still running.
Investigators check the memory for actions taken by ransomware in case it leaves no trace in the hard drive — the part where data is stored permanently.
Memory analysis can be used to find clues to create the private key.
The current case, however, has allegedly left investigators flummoxed.
“They have even tried uploading all the data to a cloud (an online storage space) in order to decrypt,” Nehra said, citing his sources. “But it doesn’t help at all to just upload data online in order to decrypt it.”
‘No acknowledgment from the government’
How the ransomware got into AIIMS’ server is yet to be ascertained. But according to Nehra, it was likely caused by outdated security practices or a phishing email that someone may have clicked and that surreptitiously installed the ransomware on a computer connected to the entire system.
To Bhatia, however, what really sticks out is the lack of transparency over the incident.
“The government is so hell-bent on getting us on an expressway to a Digital India — get your appointments, medical reports, certificates, everything online. [But it] isn’t putting in safety locks and guardrails with the same kind of frenzied priority,” he said. “There is no proper statement from the government acknowledging the cyberattack, what caused it, and steps [that were] taken to address the attack,” he told ThePrint.
“If the government understands how serious the attack is, shouldn’t the public and the cybersecurity community be informed so we can take precautions against the cause? Maybe the cybersecurity community can help since the official investigators still don’t know much,” Bhatia added.
The attack’s impact
While the patient registration portal to get online appointments appears currently active, the attack crippled AIIMS’ complex information system, which includes patients’ lab reports and health records from the institute’s various departments.
In a statement it issued on 29 November, AIIMS said that eHospital data had been restored on its servers but that it was still resorting to manual processes while the systems were being “sanitised”.
Meanwhile, there’s also the fear that the cyberattack could have compromised the data of 3–4 crore patients.
“In my view, health data is more sensitive than financial data — now all the health data of our politicians treated at AIIMS is at risk of ending up on the dark web,” Bhatia told ThePrint.
“Anyone accessing it can see who is suffering from what and what medicines they use. Imagine a high-profile person had a hysterectomy at AIIMS — this is stuff that can be weaponised and used for blackmail,” Bhatia added.
But paying the ransom is no solution, “because there’s no guarantee that hackers will decrypt the data”, said Gulshan Rai.
“I don’t know how much NIC (National Informatics Centre, the government agency providing IT infrastructure and consultancy services to the government) could have done to stop the attack since the computers are operated by AIIMS,” Rai said. “But now NIC and AIIMS must sit together and start reviewing their processes, infrastructure, and responses to potential cyberattacks, because this cannot happen again.”
(Edited by Uttara Ramaswamy)
Also Read: India is the sixth most data-breached country in world, says study by cybersecurity firm