RansomEXX ransomware disrupts India's banking services

The RansomEXX ransomware group has launched a significant cyberattack on India’s banking sector, disrupting the services of numerous banks and payment providers. CloudSEK's threat research team has been closely examining the attack, which primarily affected Brontoo Technology Solutions—a major partner with C-EDGE, a joint venture between Tata Consultancy Services (TCS) and the State Bank of India (SBI).

According to media reports, customers of approximately 300 small lenders across India have been unable to access services such as cash withdrawals at ATMs and Unified Payments Interface (UPI) transactions. This disruption highlights the substantial impact of the attack on the country’s financial infrastructure.

CloudSEK has published a report detailing the attack chain. The attack reportedly began with a misconfigured Jenkins server. This server was exploited using a vulnerability identified as CVE-2024-23897, a local file inclusion (LFI) vulnerability that allows attackers to gain secure shell access via port 22. The report underscores the severity of supply chain risks and the necessity for robust security measures throughout the financial ecosystem.

"RansomEXX," also known as Defray777 before its rebranding, is not new to the cybersecurity landscape. The group emerged in 2018 and has since evolved its techniques. The latest variant, RansomEXX v2.0, represents an advanced version of the ransomware developed in response to improved security measures in large organisations.

The attackers initially gained access through common vectors like phishing emails, vulnerabilities in remote desktop protocols (RDP), and weaknesses in VPNs and other remote access services. Once inside the network, they employed tools such as Cobalt Strike and Mimikatz, alongside other legitimate administrative tools, for lateral movement. The group then used known exploits and credential theft techniques to escalate privileges within the compromised environment.

RansomEXX v2.0 uses strong encryption algorithms, including RSA-2048 and AES-256, which make file recovery virtually impossible without the decryption key. Critical files and backups are targeted for encryption, and data exfiltration often precedes encryption as part of a double extortion strategy. Victims typically receive detailed ransom notes with instructions for payment in cryptocurrencies like Bitcoin.

Government agencies, healthcare providers, and multinational corporations are among the high-profile victims of RansomEXX. These attacks have resulted in significant operational disruptions, data breaches, and financial losses, with some victims opting to pay the ransom to swiftly restore operations. The group is known to engage in negotiations, sometimes reducing ransom demands based on the victim's ability to pay.

Recent developments indicate that RansomEXX v2.0 continues to adapt, employing new techniques to bypass security measures. Among these is the use of stolen digital certificates to sign malware, which increases trust and reduces detection rates. Evidence suggests collaboration with other cybercriminal groups, sharing tools and infrastructure to strengthen their operations.

CloudSEK has committed to providing continual updates and recommendations as the investigation progresses. Organisations are advised to fortify their security postures by regularly updating and patching systems, particularly those associated with critical infrastructure like Jenkins servers.