A ransomware attack has recently compromised India’s banking sector, affecting banks and payment providers. The attack has primarily targeted Brontoo Technology Solutions, a major partner of C-Edge Technologies Ltd, a collaboration between Tata Consultancy Services and State Bank of India.
Nearly 300 small Indian banks, which were forced to go offline due to a ransomware attack, were back online on Thursday, the National Payments Corporation of India. The NPCI had temporarily isolated these banks from accessing the country’s retail payments system to prevent the spread of the attack
The initial breach occurred through a misconfigured Jenkins server at Brontoo Technology Solutions. Exploiting a known vulnerability (CVE-2024-23897), attackers gained secure shell access by reading private keys due to an open port 22.
The initial access was brokered by IntelBroker, a threat actor on breach forums, and sold to the RansomEXX group for further exploitation.
The ransomware group responsible for this attack is confirmed to be RansomEXX, operating a more sophisticated malware variant, RansomEXX v2.0. Initially known as Defray777, this group has evolved since 2018, rebranding to RansomEXX in 2020. The v2.0 variant reflects advancements in encryption, evasion tactics, and payload delivery.
RansomEXX v2.0 employs multiple infection vectors, including phishing and exploiting remote desktop protocol vulnerabilities and weaknesses in VPNs.
After gaining initial access, the group uses tools like Cobalt Strike and Mimikatz to move laterally within networks and escalate privileges. The ransomware encrypts files using robust algorithms such as RSA-2048 and AES-256, making recovery without the decryption key virtually impossible. Victims receive detailed ransom notes with payment instructions, usually demanding cryptocurrency.
The negotiations are currently ongoing with the ransomware group, and the stolen data has not yet been published on their PR website. Given RansomEXX’s history of high ransom demands, a similar approach is anticipated
Indicators of Compromise
- 62e9d5b3b4d5654d6ec4ffdcd7a64dfe5372e209b306d07c6c7d8a883e01bead
- 6962e408aa7cb3ce053f569415a8e168a4fb3ed6b61283c468f6ee5bbea75452
- 981e6f2584f5a4efa325babadcb0845528e8147f3e508c2a1d60ada65f87ce3c
- 98266835a238797f34d1a252e6af0f029c7823af757df10609f534c4f987e70f
- ad635630ac208406cd28899313bef5d4e57dba163018dfb8924de90288e8bab3
- b6ed0a10e1808012902c1a911cf1e1b6aa4ad1965e535aebcb95643ef231e214
- b89742731932a116bd973e61628bbe4f5d7d92b53df3402e404f63003bac5104
- d931fe8da243e359e9e14f529eafe590b8c2dd1e76ca1ad833dd0f927648f88b
- ec2a22d92dd78e37a6705c8116251fabdae2afecb358b32be32da58008115f77
- f9c6dca22e336cf71ce4be540905b34b5a63a7d02eb9bbd8a40fc83e37154c22
- 09c99e37121722dd45a2c19ff248ecfe2b9f1e082381cc73446e0f4f82e0c468
- 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
- 78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d
- cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849
- 259670303d1951b6b11491ddf8b76cad804d7a65525eac08a5b6b4473b42818b
- 48301f37e92a9d5aa29710bda4eee034dd888a3edd79e2f74990300ffd8eb3b6
- 48460c9633d06cad3e3b41c87de04177d129906610c5bbdebc7507a211100e98
- 4b8103cd9fbb0efb472cbf39715becacf098f7ee44bf98f6672278e4e741542b
- 5c3569c166654eed781b9a2a563adec8e2047078fdcbafcdef712fabf2dd3f57
- 5ccf8c6bf9c39ccb54c5ebabd596a1335da522d70985840036e50e3c87079ab4
- 335d1c6a758fcce38d0341179e056a471ca84e8a5a9c9d6bf24b2fb85de651a5
- 452c219223549349f3b2c4fe25dfef583900f8dac7d652a4402cf003bf5ecf46
- hxxp://iq3ahijcfeont3xx.sm4i8smr3f43.com
- hxxps://iq3ahijcfeont3xx.tor2web.blutmagie.de
- hxxp://iq3ahijcfeont3xx.fenaow48fn42.com
- hxxp://iq3ahijcfeont3xx.sm4i8smr3f43.com
