Probing into the cyberattack on some servers at the All India Institute of Medical Sciences (AIIMS) in Delhi, the Indian Computer Emergency Response Team (CERT-In) has found that no measures were implemented by AIIMS computer faculty for securing the network; that no policies were defined on their firewall and in their network; and most of the switches were unmanaged.
CERT-In, the country’s premier cybersecurity agency, has also found that all files and data in the infected servers of AIIMS displays the message, “free decryption as a guarantee, you can send us upto three free decrypted files before payment”.
Delhi Police has registered an FIR under IPC Section 385 (putting a person in fear of injury in order to commit extortion), 66 and 66-F IT Act after receiving a complaint from one Naresh Kumar Yadav, an assistant security officer at AIIMS.
“Initial analysis of CERT-In has found that four servers — two application servers, one database server and one backup server — were found infected,” a source said. “A team of CERT-In found that the encryption was triggered by one of the Windows servers attached in the same network, but files of this server were not encrypted.”
Yadav told the police in his complaint that he received information from one Dr Pooja Gupta, professor in-charge, computer facility, AIIMS, on ransomware attack on the premier institution’s e-hospital servers on November 23. The FIR stated that after two encrypted mails, there was a message: “what happened, your files are encrypted, all files are protected by strong encryption with RSA-2048, there is no public decryption software, what is the price to repair, the price depends on how fast you can pay to us, after receiving money, we will send program and private keys to your IT department right now, do not attempt to decrypt your data after using third party software, this may result in permanent data loss, our program can repair all files in few minutes and all servers will work perfectly same as before, free decryption as guarantee, you can send us upto three free decrypted files before payment.”
A source said that CERT-In found after checking all AIIMS systems that no measures were implemented by its computer faculty to secure the network, and the institution had no policies defined on the available firewall. “Most of their switches were unmanaged,” the source said. “All the infected servers were disconnected by a team of National Informatics Centre (NIC) from the network and internet to avoid spreading of contamination to other services.”
The NIA has sent a team to AIIMS. Besides CERT-In and NIC teams, a team from the Defence Research and Development Organisation (DRDO) is also looking into the matter, sources said. Delhi Police, the Intelligence Bureau, CBI and Home Ministry are also probing the incident.
Initial investigation has also revealed that the attacker has two proton mail addresses — “dog2398” and “mouse63209” — which have been identified from the headers of the encrypted files. “The breach in security has particularly affected e-hospital application, which was provided and managed by NIC since 2011-12, stopping the online functioning of OPD, emergency and other patient care services in the AIIMS premises,” a source said.
DCP (Cyber Crime Unit) Prashant Priya Gautam had said: “The forensic images of impacted servers have been sent to the lab for analysis. Analysis is under process. AIIMS administration and other agencies are in process of restoring the service. No ransom demand has been brought to notice.”