Ransomware attack: Cyber terrorism probe as AIIMS services paralysed

Emergency responders raced to restore the computer networks at the All India Institute of Medical Sciences, Delhi (AIIMS) and police opened an investigation for “cyber terrorism” on Thursday as the country’s foremost government hospital remained crippled following a cyber attack that knocked offline patient services such as appointment booking, billing and diagnostics reporting.

Also Read: Ransomware suspected as AIIMS servers go down, trigger long waits

The suspected ransomware attack has meant that the patients and doctors are unable to access records or test reports, even as experts flagged a potentially bigger problem if the hack also results in some of this data being accessed by the attacker.

“Various government agencies are investigating and supporting AIIMS in bringing back the digital patient care services. We hope to be able to restore the affected activities soon,” said an update issued by the administration.

The Delhi Police’s Intelligence Fusion and Strategic Operations (IFSO) cell filed an FIR invoking sections of cyber terrorism (IT Act, section 66F) against unknown persons, while teams of the governments information technology arm, National Informatics Centre (NIC) and Computer Emergency Response Team (CERT-In) attempted to restore the network.

“As of now, [we are] mirroring the cyber attack related content to identify the source. We are in the initial stage of the probe,” said a senior police officer, who did not want to be named.

According to the officer, the preliminary investigation has hinted that the cyber attack may have been perpetrated from outside India. “That is the reason why we have included cyber terrorism section of the IT Act in the FIR. We are working in close coordination with CERT-In.”

This is the first instances of a major Indian hospital – in this case, the country’s most prominent government hospital that also treats high-ranking officials -- being affected by ransomware. This sort of an attack involve a malware that locks access to files, impairing regular functioning.

“Remedial action is in progress… [systems are] likely to be restored today,” said Lieutenant General Rajesh Pant, the National Cyber Security Coordinator, on Thursday.

An official at AIIMS, aware of the matter and asking not to be named, said there was a risk of VIP and research data being affected.

Ransomware operators typically demand a payment -- hence, ransom -- to provide the key to decrypt the files. A common modus operandi for most ransomware operators is to threaten to leak the files to pressure their targets into paying up, which makes the AIIMS attack particularly concerning, experts said, since it involves medical records, some of the most private information about an individual.

Doctors at the hospital who saw some of the infected computers before they were taken over by IT reported seeing a demand for payment in cryptocurrency in exchange for a key that would decrypt the data.

Officials did not respond to requests to clarify whether any data was breached or how many patient records were on the servers in total but some doctors providing a rough estimate, said this could be in the millions.

Experts said once handled, there must be a disclosure of the extent of the attack. “Ransomware is a far bigger cyber security threat than any other cybercrime because of the association of the operators with nation states. Unlike a fee-for-decryption commercial operators, nation states have several strategic objectives, including espionage, leverage of health records of heads of government for psychological and health assessment, or for trade negotiations and power projection during low-resolution conflicts,” said Anand Venkatanaryanan, cybersecurity expert and co-founder of think tank DeepStrat.

“The lack of meaningful discussions on state-backed operators even after successful attacks on payment networks, power plants, nuclear plants and other critical infrastructure including Aadhaar is more of a feature than a bug in how the administration thinks about cyber security,” he added.

On November 9, a ransomware group with links to a Russian-speaking operator known as REvil began leaking medical records of Australian health insurance giant Medibank’s customers after the firm refused to pay a ransom

A “sample” of Medibank records outed on the dark web had details of 9.7 million people, including those treated for HIV, alcohol abuse and drug addiction.

According to people aware of the incident at AIIMS, the servers handling the databases – which store information such as patient files and lab reports – were found to be corrupted on Wednesday morning, and the problem seemed to have spread to the primary backup. Two technical response teams first analysed the issue on-site, and noted “that the infected server files had changed extensions, indicating possible ransomware attack,” said an incident report sent to the Union ministry of health and family welfare by AIIMS director Dr M Srinivas.

Srinavas’s update, sent on Wednesday and seen by HT, added that a second backup server seemed to have been untouched and efforts were being made to recover those files.

A second expert too raised crucial questions about the cybersecurity at AIIMS. Muktesh Chander, former director general of police (DGP), Goa, and the founder director National Critical Information Infrastructure Protection Centre (NCIIPC), said that India needs to take lessons from cyberattacks that have happened abroad to strengthen its cyber security. “The fact that even the backup was corrupted means we were not prepared for a disaster such as this. We need to roll out the national cyber security plan so that we are not left firefighting in such a situation but are prepared. There needs to be proper budgeting, enhancement of technology and we need to inculcate a culture of cyber safety so that we are not left to deal with such situations as they come,” Chander said.