Polycab, Motilal Oswal, Bira91 among latest companies to be hit by ransomware attacks

Image: Shutterstock

India is one of the most attacked countries in cyberspace, and ransomware attacks are the biggest growing threat. In the last two weeks, multiple reports published by global cybersecurity companies point out that ransomware and malware attacks have surged in the country. Despite this, only a handful of organisations have a formal ransomware plan in place, with some of them even resorting to paying the ransom demands.

On March 17, Polycab India was targeted by LockBit, the most active global ransomware group. According to Polycab, the incident did not impact the core systems and operations of India’s largest wire and cable maker. “The technical team of the company along with a specialised team of external cybersecurity experts are working actively on analysing the incident,” it said in a filing with the stock exchanges. There was no mention of any ransom paid in the filing.

Similarly, prominent brokerage firm Motilal Oswal (MOSL), which has over 6 million clients, was attacked by the same ransomware group in mid-February. LockBit claimed the attack on its dark website. MOSL detected a cyber-incident in the form of some malicious activity on a few of the employees' computers. Their IT security team activated its cybersecurity incident response process to investigate, contain, and remediate the incident in an hour.

“This incident has not affected any of our business operations or IT environment. It is business as usual. We also proactively went ahead and reported this matter to relevant law enforcement and regulatory authorities immediately,” the company said in a formal statement.

Lockbit has hacked some of the world’s largest organisations recently. On February 19, Britain’s National Crime Agency, the US Federal Bureau of Investigation, Europol, and a coalition of international police agencies disrupted Lockbit’s operations by taking over its website. “This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” a post on the ransomware group’s website said.

Shortly after, the notorious group was back to business after restoring its servers. According to reports, their new darkweb site showed a gallery of company names attached to a countdown clock, marking the deadline within which that company was required to pay ransom. In the past, the Russia-linked ransomware gang has claimed attacks on Taiwan chipmaker TSMC, Foxconn, and Accenture. In 2023, LockBit also attacked pharma company Granules India and India’s state-owned National Aerospace Laboratories.

On March 22, Indian craft beer brand Bira 91 was attacked by ransomware group BianLian. The group claims to have access to data ranging from finance, human resources, recipes and other trade secrets, data of Indian and international partners, customers, and vendors, SQL databases, and more. “The announcement appeared on the Data Leak Site (DLS) of BianLian. The leak is claimed to have about 2TB of data,” said Rakesh Krishnan, senior threat analyst at NetEnrich. There is no official statement from the company so far.

Earlier in March, the beer manufacturer raised $25 million (Rs 207 crore) in funding from Tiger Pacific Capital, an Asia-focused fund headquartered in New York and Hong Kong.

A recent report by cybersecurity company Palo Alto Networks indicated that the manufacturing sector in India was the most targeted industry for ransomware extortion in 2023. This can be potentially attributed to limited visibility into operational technology (OT) systems, inadequate network monitoring, and suboptimal cyber-hygiene implementation, explains Huzefa Motiwala, head of systems engineering at Palo Alto Networks India and SAARC.

Another challenge Indian businesses face is that their data is dynamic and may exist in many different locations, on-premise or in the cloud. “Securing it may depend on many different technologies, applications, and even third parties. This complexity further adds to a lack of a comprehensive plan, leaving gaps and loopholes for the ransomware attackers to exploit,” adds Motiwala.

Also Read: How insurance-linked securities can improve cyber-security in India

In 2023, median ransom demands increased from $650,000 to $695,000. But median payouts decreased from $350,000 to $237,500. According to the findings, this can be credited to organisations calling in incident response teams with negotiation capabilities, which fewer did in the past. Experts suggest that the other reason could be not receiving their data back even after paying a hefty ransom.

“Companies will only pay if their operations are unrecoverable without the data that's been encrypted. As a company, I strongly discourage paying ransomware groups as well. We cannot and should not create a thriving market for our own data,” says Yash Kadakia, founder of Security Brigade, an information technology security solutions provider.

There is only one motive for ransomware groups to target such companies: Purely financial. “If the victims are popular in the industry or country, it adds more spice to the threat actor's PR value, hence tampering with the victim's goodwill and even causing a dip in the share market,” explains threat analyst Krishnan.

The biggest challenge in India is that there are no disclosure laws. "If your data is hacked and sold, the company has no responsibility to tell you or help you protect yourself. This creates an environment where consumers are left completely blindsided by these breaches," adds Kadakia.

According to Pankit Desai, co-founder and CEO of cybersecurity firm Sequretek, things have changed in the last few months. The companies are supposed to report the incident to the Indian Computer Emergency Response Team (CERT-In) in six hours. If they fail to do so, they will be subject to penalties. “But a challenge that I see is in non-regulated industries like manufacturing and healthcare. The perception among these companies still remains that anonymity is their biggest defence against security because they’re small.”

Companies need a reason to invest in cybersecurity. Most startups see security as a speed break and will only focus on it once they are starting to raise larger rounds and investors ask for due diligence around cyber security, explains Kadakia. Every time the RBI, NPCI, IRDA, and SEBI put out new regulations related to cybersecurity, “we see a big surge in customer demand to comply with them. So as a country, we need to focus on a strong regulatory landscape around data protection, but more importantly, there has to be some significant consequence and accountability for such regulations.”