Ransomware attackers say AIIMS ‘deadline’ has ended

The All India Institute of Medical Sciences (AIIMS) Delhi has till the end of Monday to complete negotiations to regain access to its data, the purported group behind a cyberattack that has patients records told HT over email, adding that it has sought 30 bitcoins as ransom and that once the window closes, it will end communication lines.

The warning came from an email address known to authorities and is a part of the investigation, although HT could not independently verify whether the people replying from it were indeed behind the hack. The email also suggested that the data, which includes the medical records of millions of people including possibly government VIPs, would be leaked online.

“Today is the deadline, we will destroy this mail and AIIMS will lose all patient’s information permanently!!!” said an email on Monday morning after HT reached out to the address, with the sender not responding to requests to identify themselves or their affiliation.

The address is part of the police complaint, which includes sections of the law to investigate cases of cyber terrorism, and has been seen by HT.

The sender added: “But you can try [and] find patient’s information on the dark web!!!” and, in a follow-up email later in the evening, said that they had decided not to extend the Monday deadline.

The person who sent the reply did not respond to questions on whether anyone was negotiating on behalf of AIIMS.

A person aware of the investigation confirmed that the email from which the response came was one of two addresses that were contained in the malware, but added that there had been no attempts made from the government to negotiate and there was no specific ransom money sought.

India’s national cybersecurity coordinator, Lt Gen (retired) Rajesh Pant too said no ransom money had been demanded. “There was a very serious cyberattack that affected AIIMS facilities. but by and large the system has been restored. However, there was never a ransom demand,” he said.

A bitcoin was worth a little under ₹14 lakh on Monday, according to cryptocurrency website Coinbase. The 30 bitcoin figure mentioned by the purported attackers in their email as ransom sought thus translates to ₹4.2 crore.

The cyberattack at AIIMS came to light on November 23 when staff were unable to log in into the eHospital application, an end-to-end tool that manages appointments, stores medical records and hosts reports from diagnostic tests carried out at the facility.

The attack led to multiple servers being hacked and databases being encrypted, with the possibility that the information on these servers, as is usual in typical ransomware attacks, being accessed by the attackers. The response from the entity now appears to strengthen that possibility.

People aware of the discussions in the AIIMS incident indicated last week as well that they were not in the favour of negotiations at all since it could set a precedent.

Officials at AIIMS did not respond to requests for a comment on the state of the recovery operations but people aware of the matter, while asking not to be named, said the eHospital application could be restored early this week.

On November 29, a person aware of the matter said the eHospital application server — which essentially contains information to run the software — had been restored but the medical records could not be retrieved since the main database as well as the backup were hit.

Officials and experts have said in recent days that the possibility of a nation state-linked attacker being involved is also highly likely, given the sensitive nature of the information that has been breached.

Ransomware attacks are one of the most common cyberattacks today, with the primary motive being extortion that can often lead to millions of dollars. Usually, when such an attack is not by an adversary motivated by espionage, most ransomware operators are mafia-like organised gangs based in Eastern European countries, in China and North Korea.

The process of how these negotiations work varies by the group but often follow a common flow: first is the hack, then the files are encrypted. It is at this point the hackers send instructions to the victims to contact an email address to regain access to their data.

For instance, one notorious ransomware gang, Maze, which has now disbanded, famously issued a press release in July 2020, saying it is the responsibility of the victims to open negotiations within three days of infection by sending an email.

“Generally, ransomware threat actors leave ransom notes on the affected company’s servers. Such notes include information about the ransom amount, deadline, and communication methods. If the victim fails to make payment timely, the gangs can delete the only private encryption key used for data decryption so that data recovery will be impossible,” said Feixiang He, adversary intelligence research lead at Group-IB, a global cybersecurity company headquartered in Singapore.

“Some threat actors are more patient in waiting for as long as they think the victim will eventually pay. We’ve seen cases when the ransomware gangs negotiated with the victims for up to three months,” He added, explaining how typical ransomware negotiations work.

But, the Group-IB researcher said, “more and more gangs, however, choose to increase their chances of getting paid quickly and threaten to publish the victim’s data on their dedicated leak sites”.

The company releases an annual ransomware assessment report. According to its latest study for the 2021-22 period, healthcare was the sixth most targeted industry for ransomware operators.

The company’s threat intelligence, He said, has observed some “AIIMS-related network access sales on underground markets since 2018, but it has not been established yet how the attackers gained their initial foothold within the network, and whether these sales are related to this incident”.

(With inputs from Karn Pratap Singh, Sunetra Choudhury and Soumya Pillai)