Network Security & Management Enrollment

No:23012250410341

Experiment: 01
Aim: Prepare a case study on Ransomware Attack on AIIMS Delhi (2022)

Introduction to the attack :-

A ransomware attack is a type of cyberattack where malicious software (malware) infiltrates
a computer system, encrypts files or locks access to the system, and then demands a ransom
—usually in cryptocurrency—in exchange for restoring access. These attacks can paralyze an
organization’s operations by targeting critical digital infrastructure such as databases, email
servers, medical records, financial systems, or internal networks. Ransomware can spread
through phishing emails, malicious links, or by exploiting system vulnerabilities. Once
activated, it encrypts essential files and displays a ransom message demanding payment to
unlock them. These attacks are highly disruptive and can affect governments, healthcare
institutions, banks, schools, and private companies. The consequences may include financial
loss, operational downtime, data breaches, and reputational damage. Ransomware has
become one of the most common and dangerous forms of cybercrime in recent years,
highlighting the need for strong cybersecurity practices and quick incident response
mechanisms across all digital environments.

Types of Ransomware Attacks :-

2. Types of Ransomware Attacks (Detailed)

The ransomware landscape is constantly evolving, with attackers developing increasingly

sophisticated methods. Here's a detailed look at various types:

 Crypto Ransomware (File-Encrypting Ransomware): This is the most prevalent

form.
o Mechanism: Upon infection, it scans the victim's system for specific file
types (documents, images, videos, databases, etc.) and encrypts them using
strong cryptographic algorithms. The original files are often deleted or
rendered unrecoverable without the key.
o Impact: The victim can see the encrypted files but cannot open or use them. A
ransom note, typically a text file or an image displayed on the desktop,
appears, demanding payment for the decryption key.
Network Security & Management Enrollment
No:23012250410341

o Examples: WannaCry, CryptoLocker, Ryuk, Locky, Maze, Conti. The

encryption used is often so robust that decryption without the key is virtually
impossible, forcing victims to either pay or rely on backups.
 Locker Ransomware (Screen-Locker Ransomware):
o Mechanism: Unlike crypto ransomware, locker ransomware doesn't encrypt
individual files. Instead, it locks the victim out of their entire computer system
or specific critical applications, preventing access to the desktop or essential
functions. A full-screen ransom demand is displayed, often impersonating law
enforcement agencies to intimidate victims into paying.
o Impact: While files are usually not encrypted, the user's ability to operate the
computer is severely hampered. Access is only restored if the ransom is paid
or if the malware can be successfully removed.
o Examples: Reveton (often disguised as police warnings).
 Scareware:
o Mechanism: This type often masquerades as legitimate security software or
warning messages. It floods the user's screen with alarming pop-ups, claiming
the computer is heavily infected with viruses or malware, even if it's clean. It
then prompts the user to pay for a fake "fix" or to purchase rogue antivirus
software.
o Impact: Primarily designed to frighten users into parting with money for a
non-existent threat or useless software. While irritating, it typically doesn't
encrypt files or lock systems in the same way true ransomware does.
 Leakware (Doxware):
o Mechanism: This form adds a significant dimension of threat. Attackers first
compromise a system and exfiltrate (steal) sensitive data – ranging from
intellectual property and financial records to personal identifiable information
(PII) and internal communications. After data exfiltration, they may or may
not encrypt the original files. The primary extortion leverage is the threat to
publicly release the stolen data on the dark web, to competitors, or to
regulatory bodies.
o Impact: This creates a "double extortion" scenario. Victims face not only the
potential loss of access to their data but also severe reputational damage,
Network Security & Management Enrollment
No:23012250410341

regulatory fines (e.g., GDPR, HIPAA), legal liabilities, and loss of competitive
advantage if their sensitive information is exposed.
o Examples: Maze, Egregor, REvil (Sodinokibi).
 Ransomware-as-a-Service (RaaS):
o Mechanism: RaaS is a business model in the cybercrime underground.
Ransomware developers create the malicious code and the infrastructure (like
payment portals, victim support, and distribution networks) and then lease or
sell access to it to "affiliates." These affiliates then conduct the actual attacks,
and a percentage of any successful ransom payments is shared with the RaaS
developer.
o Impact: This model significantly lowers the barrier to entry for aspiring
cybercriminals, as they don't need advanced technical skills to launch
sophisticated ransomware attacks. This has led to a dramatic increase in the
volume and frequency of ransomware incidents.
 Double Extortion Ransomware (Specific Strategy): This is a strategy rather than a
distinct type of malware, often employed by Crypto and Leakware.
o Mechanism: As detailed above, it combines encrypting the victim's data with
stealing a copy of that data. The threat then becomes twofold: pay to decrypt
your files AND pay to prevent your stolen data from being leaked or sold.
o Impact: This maximizes the pressure on victims, making it more likely they
will pay the ransom, as the consequences of not paying are amplified.

3. Real-World Example: The AIIMS Delhi Ransomware Attack (November 2022)

The All India Institute of Medical Sciences (AIIMS) in New Delhi, India's premier public
medical research institution and hospital, became the victim of a devastating ransomware
attack that commenced on November 23, 2022. This incident served as a stark demonstration
of the severe vulnerabilities that can exist within critical national infrastructure.
Detailed Timeline and Impact:
 November 23, 2022, 7:00 AM IST: The attack initiated, causing an immediate and
widespread outage of AIIMS's e-Hospital system and other critical digital services.
This included patient registration, admissions, billing, laboratory report generation,
and appointment scheduling systems.
 Immediate Operational Chaos (Days 1-7): The digital paralysis forced AIIMS to
revert to an entirely manual, paper-based system. This led to:
Network Security & Management Enrollment
No:23012250410341

o Massive Queues: Patients, many of whom travel from remote areas, faced
incredibly long queues for basic services.
o Delayed/Cancelled Care: Thousands of appointments were cancelled or
postponed. Emergency services were severely hampered as doctors lost
immediate access to patient histories, diagnoses, and current medical records.
This directly impacted patient safety and quality of care.
o Manual Processes: Staff struggled with manual record-keeping, prescription
writing, and report handling, drastically slowing down operations and
increasing the risk of human error.
o Inaccessible VIP Data: The system held sensitive health records of millions of
patients, including high-profile individuals like former Prime Ministers,
ministers, bureaucrats, and judges, raising significant national security
concerns.
 Discovery and Initial Response: National Informatics Centre (NIC) teams working at
AIIMS quickly identified the issue as a ransomware attack. Delhi Police's Intelligence
Fusion and Strategic Operations (IFSO) unit registered a case under sections of
extortion and cyberterrorism on November 25, 2022.
 Technical Details and Vulnerabilities:
o Malware Identified: Reports indicated the presence of WannaCry, Mimikatz,
and a Trojan on the compromised servers. While WannaCry is an older
ransomware, its presence suggests persistent unpatched vulnerabilities.
Mimikatz is a post-exploitation tool used to extract credentials, indicating
potential lateral movement within the network. The Trojan likely served as the
initial entry point or a persistent backdoor.
o Targeted Systems: The attack reportedly compromised 5 physical servers (out
of approximately 40 physical and 100 virtual servers), including two
application servers, one database server, and crucially, one backup server. This
direct impact on backups significantly complicated recovery.
o File Encryption: Files were encrypted with a .bak9 extension, a new variant
that indicated a fresh wave of encryption.
o Estimated Data Compromise: Initial estimates suggested around 3-4 crore (30-
40 million) patient records could have been compromised, including sensitive
PII.
Network Security & Management Enrollment
No:23012250410341

o Alleged Ransom Demand: While officially denied by Delhi Police, media

reports widely claimed a ransom demand of ₹200 crore (approximately $24
million USD) in cryptocurrency. The Indian government maintained its policy
of not paying ransoms.
o Root Cause Analysis (CERT-In Findings): Preliminary investigations by
CERT-In pointed to a deeply flawed IT infrastructure:
 Unorganized Network: An "unorganised ICT network without
centralised monitoring or system administration" was identified,
indicating a lack of structured cybersecurity governance.
 Outdated Systems: AIIMS was reportedly operating on outdated
equipment, legacy software, and an obsolete version of Windows
(likely Windows 7, given the WannaCry presence). This created a
fertile ground for known vulnerabilities to be exploited.
 Lack of Segmentation: Poor or non-existent network segmentation
allowed the ransomware to spread rapidly across the network from a
single point of compromise, affecting numerous critical systems.
 Weak Password Policies: Reports also suggested that the attackers
might have exploited "easy passwords," allowing them to bypass initial
security layers.
 Recovery Challenges and Progress (Weeks 2-4):
o Manual Sanitization: Recovery was a painstaking manual process. IT teams
had to individually sanitize and scan thousands of computers and servers for
malware.
o Data Restoration: Fortunately, some offline backups were eventually
identified and used to restore most of the lost data, though this was a slow
process due to the sheer volume of data (estimated 1.3 terabytes encrypted).
o Gradual Service Restoration: By December 6, 2022, AIIMS confirmed that
trial runs of the e-Hospital server were successful, and most lost data had been
retrieved. However, full normalcy took several more weeks.
o Government Intervention: Multiple agencies, including Delhi Police, CERT-
In, Ministry of Home Affairs (MHA), Forensic Science Laboratory (FSL), and
the National Investigation Agency (NIA), were involved in the investigation
Network Security & Management Enrollment
No:23012250410341

and recovery efforts. The incident prompted the formulation of India's new
National Cybersecurity Response Framework (NCRF).

4. Prevention Strategies

Preventing ransomware attacks requires a multi-layered cybersecurity approach that

combines technology, policy, and human awareness. One of the most important measures is
to regularly update and patch all operating systems and software to close known
vulnerabilities that attackers can exploit. Organizations should also implement strong
password policies, enforce multi-factor authentication (MFA), and limit user privileges to
reduce the risk of unauthorized access. Frequent data backups, stored in secure offline or
cloud environments, are critical to ensure that essential data can be restored without paying a
ransom. It is equally important to conduct cybersecurity awareness training for all employees,
enabling them to recognize phishing emails, suspicious links, and other social engineering
tactics often used to initiate ransomware attacks. Installing advanced antivirus and endpoint
protection software, along with network segmentation, can help detect and isolate threats
before they spread. Organizations should adopt a Zero Trust security model, where no user or
device is trusted by default, even if inside the network. Finally, having a well-tested incident
response plan, including protocols for data recovery and communication, ensures a faster and
more organized reaction in the event of an attack. Together, these strategies significantly
reduce the chances of a successful ransomware breach and limit its impact if one occurs.

5. Conclusion

Ransomware has emerged as one of the most serious cybersecurity threats facing
organizations today, especially those that manage critical public services and sensitive
personal data. The increasing frequency and sophistication of such attacks highlight the
urgent need for comprehensive cyber defense strategies. High-profile incidents, such as the
ransomware attack on AIIMS Delhi, demonstrate how a single breach can paralyze an entire
institution, disrupt essential operations, compromise patient safety, and erode public trust.
The consequences go far beyond financial loss, often including reputational damage and
long-term operational setbacks. As digital systems continue to expand across sectors,
especially in healthcare, education, and governance, it becomes imperative to invest in strong
cybersecurity infrastructure, regular employee training, system hardening, and policy
Network Security & Management Enrollment
No:23012250410341

enforcement. Prevention, preparedness, and quick response are the pillars of effective
ransomware defense. By adopting a proactive and resilient approach to cybersecurity,
institutions can protect their systems, safeguard data, and maintain continuity even in the face
of evolving cyber threats.