A significant ransomware attack has recently compromised India's banking sector, affecting banks and payment providers. The attack has primarily targeted Brontoo Technology Solutions, a major partner of C-Edge Technologies Ltd, a collaboration between Tata Consultancy Services and State Bank of India.
According to a new advisory published by CloudSek today, the initial breach occurred through a misconfigured Jenkins server at Brontoo Technology Solutions. Exploiting a known vulnerability (CVE-2024-23897), attackers gained secure shell access by reading private keys due to an open port 22.
CloudSEK suspects, with moderate certainty, that initial access was brokered by IntelBroker, a threat actor on breach forums, and sold to the RansomEXX group for further exploitation.
Regardless of initial access, however, the ransomware group responsible for this attack is confirmed to be RansomEXX, operating a more sophisticated malware variant, RansomEXX v2.0. Initially known as Defray777, this group has evolved since 2018, rebranding to RansomEXX in 2020. The v2.0 variant reflects advancements in encryption, evasion tactics and payload delivery.
RansomEXX v2.0 employs multiple infection vectors, including phishing and exploiting remote desktop protocol vulnerabilities and weaknesses in VPNs.
After gaining initial access, the group uses tools like Cobalt Strike and Mimikatz to move laterally within networks and escalate privileges. The ransomware encrypts files using robust algorithms such as RSA-2048 and AES-256, making recovery without the decryption key virtually impossible. Victims receive detailed ransom notes with payment instructions, usually demanding cryptocurrency.
CloudSEK warned the attack highlights a critical vulnerability in supply chain security.
“Large organizations with substantial security budgets are more challenging to breach, prompting attackers to exploit the path of least resistance,” the company wrote. “Consequently, supply chain attacks have become increasingly prevalent.”
The company also said that negotiations are currently ongoing with the ransomware group, and the stolen data has not yet been published on their PR website. Given RansomEXX’s history of high ransom demands, a similar approach is anticipated.
Image credit: Harshit Srivastava S3 / Shutterstock.com