Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

Aug. 20, 2024, 8:56 a.m.

Description

CloudSEK's threat research team uncovered a ransomware attack impacting banks and payment providers in India. The attack, initiated through a compromised Jenkins server at Brontoo Technology Solutions, is attributed to the RansomEXX ransomware group. This sophisticated threat actor employs tactics like phishing, exploiting vulnerabilities, and using legitimate tools for lateral movement. The group exfiltrates data before encryption for double extortion and demands significant ransom payments, often negotiating based on the victim's perceived ability to pay. The attack highlights supply chain vulnerabilities and the need for robust cybersecurity practices across critical vendors and ecosystems.

External References

https://www.cloudsek.com/blog/major-payment-disruption-ransomware-strikes-indian-banking-infrastructure
https://otx.alienvault.com/pulse/66c4555e556813d00bc88ab4
Tags
ransomware
vulnerability
india
banking
2024-08-20
jenkins
ransomexx
CVE-2024-23897

Date

  • Created: Aug. 20, 2024, 8:35 a.m.
  • Published: Aug. 20, 2024, 8:35 a.m.
  • Modified: Aug. 20, 2024, 8:56 a.m.

Indicators

  • b89742731932a116bd973e61628bbe4f5d7d92b53df3402e404f63003bac5104
  • ec2a22d92dd78e37a6705c8116251fabdae2afecb358b32be32da58008115f77
  • ad635630ac208406cd28899313bef5d4e57dba163018dfb8924de90288e8bab3
  • 981e6f2584f5a4efa325babadcb0845528e8147f3e508c2a1d60ada65f87ce3c
  • 78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d
  • 62e9d5b3b4d5654d6ec4ffdcd7a64dfe5372e209b306d07c6c7d8a883e01bead
  • 48460c9633d06cad3e3b41c87de04177d129906610c5bbdebc7507a211100e98
  • 5c3569c166654eed781b9a2a563adec8e2047078fdcbafcdef712fabf2dd3f57
  • 335d1c6a758fcce38d0341179e056a471ca84e8a5a9c9d6bf24b2fb85de651a5
  • 09c99e37121722dd45a2c19ff248ecfe2b9f1e082381cc73446e0f4f82e0c468
  • 259670303d1951b6b11491ddf8b76cad804d7a65525eac08a5b6b4473b42818b
  • http://iq3ahijcfeont3xx.sm4i8smr3f43.com
  • https://iq3ahijcfeont3xx.tor2web.blutmagie.de
  • http://iq3ahijcfeont3xx.fenaow48fn42.com
  • iq3ahijcfeont3xx.tor2web.blutmagie.de
  • iq3ahijcfeont3xx.sm4i8smr3f43.com
  • iq3ahijcfeont3xx.fenaow48fn42.com
  • rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion
Download all indicators here!

Attack Patterns

  • RansomEXX
  • RansomEXX

Additional Informations

  • Finance
  • British Indian Ocean Territory
  • India

Linked vulnerabilities

CVE-2024-23897

None
Published: