The All India Institute of Medical Sciences recently fell prey to a crippling ransomware incident, resulting in a complete server outage. The AIIMS ransomware attack is still showing its ugly side effects as investigators continue scanning 11,500 systems of the medical institute to find the source of the ransomware, a senior government official reports to the press.
The main concern for the institute is further widespread damage by the ransomware spilling to other machines through data and files linked to the Internet. As for the physical servers, the ransomware has modified and encrypted the file extensions of ALL data residing on the AIIMS servers, which run on the Linux operating systems.
Investigators are determined to find the ransomware source since the institute cannot be safe until the entry point of the ransomware is discovered and patched up. This ensures that the ransomware doesn’t leave behind any backdoors for further damage.
The FIR filed by the Special Cell of Delhi Police states that the AIIMS ransomware attack is a highly targeted incident. One of the institute officials received 3 attachments from email users calling themselves “dog” and “mouse”, asking for a ransom amount that hasn’t been disclosed to the public. The hackers promised to send over the program and private key to AIIMS’s IT department upon successful payment. They also warned the medical institute not to use 3rd party decryption tools to retrieve their data, otherwise, it would result in permanent data loss.
The FIR further added that the Hospital Information System (HIS) of AIIMS, “e-Hospital”, provided and managed by the National Informatics Centre (NIC) was also affected by the ransomware, the last transaction recorded transaction was at 7:07AM, November 23. This increased the stakes since this system contains sensitive patient data, including line of treatment.
From another public statement issued by another government official, we come to know it’s possible that the ransomware originated from neighbouring countries, although the true source of the AIIMS ransomware is yet to be found.
“Even if it is a ranswomware attack, it is not the policy of the government to pay ransoms. Agencies are probing the incident and it [the HIS] will be restored soon,” said the official. At least NIC officials immediately pulled in CERT-IN on the case as soon as the ransomware was detected. With proper response tactics, even if the task of scanning 11,500 systems is mountainous, there is a chance AIIMS will recover from the ransomware threat.
