Ransomware Locks Indian Flood Monitors During Monsoon SeasonState of Goa Blames Lack of Antivirus and Outdated Firewalls
A ransomware attack launched during peak rainy season against a flood monitoring system in India's southwestern coastal state of Goa is interfering with real-time water level monitoring.
See Also: 2022 Unit 42 Incident Response Report
The state agency also shifted blame to a third-party IT contractor based in Hyderabad, writing that the firm has been told to "block further damage and upgrade the system and recover the data at their own risk and cost." The ransomware gang demanded an undisclosed amount of Bitcoin cryptocurrency.
Information Security Media Group has been unable to get independent confirmation from the water department or a copy of the original complaint from the Goa cybercrime police. Neither organization responded to repeated inquiries even as the incident has been widely reported in Indian media. The Hyderabad vendor did not respond to a request for comment.
India's weather service reports "extremely heavy rainfall" affecting some parts of Goa today, advising residents to avoid areas vulnerable to landslides and saying that rivers may rise to dangerous levels. It anticipates heavy monsoon rains will continue into next week.
A local Goa source told ISMG that state authorities are embarrassed by the incident and are attempting to contain news coverage by not publicly discussing the ransomware attack.
Capturing flood monitoring data is crucial during monsoon season, a time when river and dam overflows are common in Goa and the rest of India. Forecasters also depend on historical data for mathematical models that predict river overflows.
Details from the complaint, filed on June 24, show that a ransomware gang encrypted a server housed in a data center near Goa's capital city, Panjim. The server contained data from 15 flood monitors located along major rivers as well as rain gauge and other weather data. Data from 12 of the monitors could not be transmitted, the complaint stated. Historical data was also affected.
"The integrity of the data has been altered, making it impossible to back up the previous data," wrote Sunil Karmarkar, a water resources department executive engineer.
Goa-based newspaper The Navhind Times reported today that state officials are activating an alternative server to collect new flood sensor data.
The complaint says files were encrypted with an ".eking" extension, a trademark of a ransomware variant belonging to the Phobos malware group. It pegs the timing of the incident to between midnight and 2 a.m. on June 21.
#Goa"s flood monitoring system came under a cyber attack in June. The hackers managed to waltz into the server due to the lack of firewalls and antivirus.— Newton Sequeira (@NewtonSTOI) July 7, 2022
The data has been encrypted and the hackers want Bitcoins.
WRD has filed a complaint. pic.twitter.com/IsPrFTTMb7
Phobos Ransomware Behind the Attack?
While the Goa state government did not name the ransomware group in its police complaint, it did say the encrypted files contain the
.eking file extension.
This encrypted file extension is known to be used by the Eking ransomware variant belonging to the Phobos ransomware family, according to a 2020 report from cybersecurity firm Fortinet. The Eking variant uses a 256-bit advanced encryption standard for encrypting files and is supported by an asymmetric public-private key cryptosystem to protect the AES key.
Recent analysis of the Eking ransomware variant by PCRisk shares similar details to Fortinet and corresponds to the Goa water department's comments in the complaint letter that the ransom demand was displayed through a pop-up window
info.hta and also contained in an unencrypted text file
Victims of Eking ransomware are offered free decryption of up to five files as a proof of concept, which can be sent to Eking's developers before paying for decryption, PCRisk's analysis says. It adds that currently there are no decryptors available for this ransomware variant and that "only Eking's developers have valid decryption tools."
The malware has several detection names assigned by various vendors and at the moment, 53 security vendors and two sandboxes flagged it as "malicious" on VirusTotal.
Goa Cybercrime Police
Goa was among the first Indian states to establish a cybercrime cell, but its police force is not yet equipped to handle cybercrime.
The Goa cybercrime police unit reportedly lacks resources and manpower to solve cases. Most remain unsolved. According to a 2019 investigation by The Times of India, the unit received 99 valid reports since 2015 but managed to file charges in 10 cases.With reporting by ISMG's Brian Pereira in Mumbai.