Ransomware Locks Indian Flood Monitors During Monsoon Season

State of Goa Blames Lack of Antivirus and Outdated Firewalls
Ransomware Locks Indian Flood Monitors During Monsoon Season
Image: Shutterstock

A ransomware attack launched during peak rainy season against a flood monitoring system in India's southwestern coastal state of Goa is interfering with real-time water level monitoring.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

The Goa Department of Water Resources fingered a lack of antivirus software and outdated firewalls on an internet-facing server in a police complaint first reported by The Times of India.

The state agency also shifted blame to a third-party IT contractor based in Hyderabad, writing that the firm has been told to "block further damage and upgrade the system and recover the data at their own risk and cost." The ransomware gang demanded an undisclosed amount of Bitcoin cryptocurrency.

Information Security Media Group has been unable to get independent confirmation from the water department or a copy of the original complaint from the Goa cybercrime police. Neither organization responded to repeated inquiries even as the incident has been widely reported in Indian media. The Hyderabad vendor did not respond to a request for comment.

India's weather service reports "extremely heavy rainfall" affecting some parts of Goa today, advising residents to avoid areas vulnerable to landslides and saying that rivers may rise to dangerous levels. It anticipates heavy monsoon rains will continue into next week.

A local Goa source told ISMG that state authorities are embarrassed by the incident and are attempting to contain news coverage by not publicly discussing the ransomware attack.

Capturing flood monitoring data is crucial during monsoon season, a time when river and dam overflows are common in Goa and the rest of India. Forecasters also depend on historical data for mathematical models that predict river overflows.

Details from the complaint, filed on June 24, show that a ransomware gang encrypted a server housed in a data center near Goa's capital city, Panjim. The server contained data from 15 flood monitors located along major rivers as well as rain gauge and other weather data. Data from 12 of the monitors could not be transmitted, the complaint stated. Historical data was also affected.

"The integrity of the data has been altered, making it impossible to back up the previous data," wrote Sunil Karmarkar, a water resources department executive engineer.

Goa-based newspaper The Navhind Times reported today that state officials are activating an alternative server to collect new flood sensor data.

The complaint says files were encrypted with an ".eking" extension, a trademark of a ransomware variant belonging to the Phobos malware group. It pegs the timing of the incident to between midnight and 2 a.m. on June 21.

Phobos Ransomware Behind the Attack?

While the Goa state government did not name the ransomware group in its police complaint, it did say the encrypted files contain the .eking file extension.

This encrypted file extension is known to be used by the Eking ransomware variant belonging to the Phobos ransomware family, according to a 2020 report from cybersecurity firm Fortinet. The Eking variant uses a 256-bit advanced encryption standard for encrypting files and is supported by an asymmetric public-private key cryptosystem to protect the AES key.

Recent analysis of the Eking ransomware variant by PCRisk shares similar details to Fortinet and corresponds to the Goa water department's comments in the complaint letter that the ransom demand was displayed through a pop-up window info.hta and also contained in an unencrypted text file info.txt.

Screenshot showing .eking encrypted file and ransom note pop-up and text file (Source: PCRisk)

Victims of Eking ransomware are offered free decryption of up to five files as a proof of concept, which can be sent to Eking's developers before paying for decryption, PCRisk's analysis says. It adds that currently there are no decryptors available for this ransomware variant and that "only Eking's developers have valid decryption tools."

The malware has several detection names assigned by various vendors and at the moment, 53 security vendors and two sandboxes flagged it as "malicious" on VirusTotal.

Goa Cybercrime Police

Goa was among the first Indian states to establish a cybercrime cell, but its police force is not yet equipped to handle cybercrime.

The Goa cybercrime police unit reportedly lacks resources and manpower to solve cases. Most remain unsolved. According to a 2019 investigation by The Times of India, the unit received 99 valid reports since 2015 but managed to file charges in 10 cases.

With reporting by ISMG's Brian Pereira in Mumbai.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.