COVID-19 impact: Indian firms see six-fold rise in ransomware attacks

Indian companies are seeing a six-fold increase in ransomware attacks and paying twice as much ransom to hackers for data recovery in the backdrop of novel coronavirus, or COVID-19, according to cybersecurity experts.

While hackers are driven by financial motives, increasing unemployment and rising demand for competitor data are key drivers, experts told Moneycontrol.

How does a ransomware attack work?
A hacker first targets the vulnerable point (in this case a system) in the company’s infrastructure and sends the ransomware, say Maze (a type of ransomware), to the system. This malware then scans the system for sensitive information, encrypts it and leaves a ransom note.

In recent times, the malware has become sophisticated, and in addition to encrypting data, it exfiltrates them (sending the data from the host system to the hacker’s) before demanding ransom. This is highly dangerous as the hackers can sell the same data later on the Dark Web even after you pay the ransom. If a company refuses to pay ransom, the data is made public.

Reports suggest that most companies were able to retrieve the data once the ransom was paid. However, there have also been instances where companies have not been able to retrieve them.

Indian landscape
Kumar Ritesh, founder, Cyfirma, a cyber intelligence firm, said that since March, Indian firms have been seeing a huge uptick in ransomware threats. “So if there were 100 attacks per month previously, it is now 600. We are also seeing high-profile individuals being targeted,” he added.

According to a report by Sophos, a cybersecurity firm, close to 82 percent Indian companies have been hit by ransomware in the last 12 months. The report added that, on an average, Indian firms will have to spend close to Rs 8 crore for rectifying the impact of an attack.

There has also been a huge spike in the ransom being demanded as well. Ritesh explained that there is a significant difference in the ransom demanded before and after the pandemic. “So during pre COVID-19 times, if the ransom started from $900 and went up to $40,000 for small to mid-tier firms, post the pandemic, the starting point itself is close to $50,00 and goes up multi-fold,” he explained.

The targets include small and medium companies to larger corporations, including IT firms and unicorns, which have huge volumes of data that can be monetised.

Why are we seeing so many attacks post the pandemic?
Remote working by lakhs of employees in a short period of time was one of the reasons.

Companies had to enable work from home (WFH) for employees in a huff, and, initially at least, there was no focus on security. Pankit Desai, co-founder and CEO, Sequretek, a cybersecurity firm, said the infrastructure was riddled with vulnerabilities since many employees were using personal systems with no adequate protection to handle sensitive company data.

The other reason is unemployment. With so many employees being laid off, some are resorting to making some quick bucks since access to such codes are easier on the Dark Web. Amateur hackers can access the code on the Dark Web, make modifications and target companies. Some companies are willing to buy this information to get a competitive edge.

These hackers are cheaper compared to elite ones and can be hired anywhere between $10 and $4,000 as opposed to $150 to $25,000 before the pandemic.

The geopolitical tension between India and China will not help the cause either. Moneycontrol earlier reported that Chinese hacking groups are targeting Indian firms in the telecom and pharma space in a bid to 'teach a lesson'.

Why do such incidents go unreported?Unlike the US or other developed countries, there is no mechanism in India for reporting cyberattacks. A case in point is the recent Maze ransomware attack on US-based Cognizant in April.

The company reported the attack within 24 hours. The company said it expects the impact on revenue and margin for the quarter-ending June 30 to be in the range of $50-70 million.

This disclosure came only because the company was US-based. “So even if large firms in India were attacked, we will not know since they are not legally bound to report it,” an expert said.

Industry watchers point out that it is high time India forced companies and individuals to disclose this information. This disclosure is necessary for multiple reasons. For one, this helps the community be aware and prepared for such attacks. In addition, the reporting mechanism enables you to take corrective action to fix the issue from the root rather than go for quick fixes.