By Ashwani Mishra, Editor-Technology, 63SATS
India’s ransomware battlefield has grown increasingly perilous in 2024, with attackers wielding sophisticated strategies and targeting critical sectors.
In its annual ransomware report, the Indian Computer Emergency Response Team (CERT-In) has mapped a disturbing shift in cyberattack patterns—from brute-force intrusions to personalized extortion and fake ransomware ploys.
1. LockBit, RansomHub, and KillSec Dominate the Scene
The LockBit group maintained its grip as the most active ransomware actor. Its leaked source code has empowered a new wave of low-profile affiliates, expanding its threat radius. RansomHub emerged as another formidable player, especially adept at breaching virtualized environments such as data centers using VMware ESXi. This group’s connections with other ransomware-as-a-service (RaaS) actors hint at collaborative dark web ecosystems.
Perhaps the most chilling evolution is KillSec’s transformation from a hacktivist outfit to a ransomware entity. Exploiting cloud misconfigurations and IAM weaknesses, it bypasses ransom notes altogether—exfiltrating data and listing it directly for sale on the dark web.
2. Manufacturing, Finance, and IT/ITeS Under Fire
The Manufacturing sector bore the brunt of attacks in 2024, followed by Finance and IT/ITeS. Attackers are increasingly targeting public cloud infrastructure and exposed services such as Microsoft SQL (MS-SQL), Remote Desktop Protocol (RDP), and network-attached storage (NAS).
CERT-In’s proactive assessment revealed thousands of vulnerable VMware ESXi and MS-SQL servers in the wild. In response, advisories and tailored mitigation guidelines were issued to organizations at risk.
3. Living Off the Land: When Legitimate Tools Go Rogue
A notable rise was observed in the use of LOLBAS (Living off the Land Binaries and Scripts). Threat actors exploited PowerShell, Command Prompt, and batch scripts to blend malicious activity into normal IT operations. The abuse of tools like AnyDesk, Splashtop, and ScreenConnect for persistence made detection harder for security teams.
Even more concerning is the “Bring Your Own Vulnerable Driver” (BYOVD) technique—where attackers implant vulnerable drivers to disable antivirus and escalate privileges.
4. Attacks at the Virtualization Layer
VMware ESXi servers have become the Achilles’ heel of enterprise security. Lacking built-in antivirus or EDR support, they are often left unmonitored. Attackers exploited this blind spot to encrypt entire VM fleets through a single compromised hypervisor.
CERT-In noted frequent abuse of vCenter consoles, weak SSH access policies, and lack of log monitoring. Recommendations include centralizing ESXi logs, enforcing network segmentation, and limiting access to management interfaces.
5. Defense Evasion: Outsmarting EDR Tools
Threat groups are becoming adept at bypassing Endpoint Detection and Response (EDR) systems. Tools like EDRSilencer, AuKill, and Process Hacker were commonly deployed to mute or uninstall endpoint defenses. In some cases, ransomware was executed directly in memory without ever touching disk—thwarting conventional detection.
Organizations relying solely on security tools without robust log analysis and alert monitoring are particularly at risk. CERT-In warns against this “tool without vigilance” mindset.
6. BitLocker Abuse and System Lockouts
A surge in attacks using BitLocker, Windows’ native encryption tool, has emerged. Unlike file-level encryption, BitLocker locks entire drives, making recovery near-impossible without keys. After gaining RDP access, attackers executed BitLocker via PowerShell or manage-bde.exe, often forcing a shutdown to deepen the crisis.
Similarly, system lockout attacks were reported where user credentials were altered, and administrative access revoked. These tactics elevate the ransom pressure by disrupting operations entirely.
7. The Rise of Fake Ransomware Campaigns
Not every threat is real—but the consequences often are. CERT-In flagged cases where attackers fabricated claims of exfiltration using leaked or fake datasets. Victims were tricked into paying ransoms under the false belief that sensitive data was at stake.
These campaigns, often perpetrated by groups like Basche, highlight a psychological pivot in ransomware—leveraging fear, confusion, and reputational pressure as core weapons.
8. Personalized and Aggressive Extortion
Ransomware has gone personal. Beyond digital ransom notes, attackers are now sending targeted emails and making phone calls to company executives, IT staff, and even clients. In one disturbing trend, threat actors contacted regulatory bodies to pressure non-paying victims with compliance allegations.
CERT-In observed that failure to remediate completely led to consecutive attacks—sometimes by different groups exploiting the same vulnerabilities. Notably, RansomHub reappeared in many such recurring incidents.
9. Hacktivism Converges with Cybercrime
The fusion of hacktivism and ransomware is another striking trend. What started as digital protests is now a profit-oriented crime, often with ideological undertones. KillSec exemplifies this hybrid threat—running its own RaaS operation and collaborating with other threat groups.
Geopolitical tensions have turned cyberspace into a battleground where activism, crime, and nation-state agendas intersect.
CERT-In’s Call to Action
CERT-In emphasizes:
- Regular patching of public-facing assets
- Hardened access controls and IAM policies
- Monitoring of PowerShell, RDP, and cloud configurations
- Participation in threat platforms like Cyber Swachhta Kendra (CSK) and CERT-In Malware Threat Exchange (CMTX)
Ransomware in India has morphed from file encryption into a full-spectrum, extortion-driven cyber onslaught. The CERT-In 2024 report highlights the need for organizations to move beyond reactive defenses and embrace proactive, intelligence-led cybersecurity strategies.
