The National Payments Corporation of India (NPCI) has put out a notice that UPI, IPMS and other payment systems of certain banks will temporarily not be available to customers. This has happened due to systems of C-Edge Technologies, which is a service provider to several banks, being attacked by ‘Ransomware’.
“To prevent larger impact to the payment ecosystem, NPCI has temporarily isolated C-Edge Technologies from accessing the retail payment systems operated by NPCI. Customers of banks serviced by C-Edge will not be able to access payment systems during the period of isolation,” said NPCI in an notice on social media dated July 31, 2024 at 6.39 pm.
Which banks are affected by the suspension of payment systems by NPCI
According to NPCI’s notice, C-Edge Technologies Limited is a technology service provider mostly catering to cooperative and regional rural banks. “It has been brought to NPCI’s notice that C-Edge Technologies, a technology service provider who caters mostly to cooperative and regional rural banks, has been possibly impacted by a Ransomware attack impacting a few of their systems,” said NPCI in the notice.
According to a report by the Economic Times which quoted PTI, Chairman of the National Cooperative Union of India Dileep Sanghani said online transactions of at least 17 district cooperative banks in Gujarat, including the Amreli District Central Cooperative Bank (DCCB), were affected due to the issue in ‘C-Edge’ software.
“Restoration work is underway on a war-footing along with C-Edge Technologies and necessary security review is in process. Connectivity to the affected banks shall be restored at the earliest,” said NPCI in the notice.
“Banking customers don’t need to be worried about such attacks. The Indian banking industry and system are robust and highly efficient. Today, banks have the required checks and security systems in place to ensure that their customers’ assets and data are taken care of. As we have seen in this case as well, the measures were taken on time by the banks, the regulatory bodies managed to act swiftly and take the required measures to minimise the effects of the attack,” says Vishal Maru, Head – Global Processing, FSS.According to C-Edge Technologies website, the company is a joint venture between Tata Consultancy Services (TCS) and State bank of India (SBI). (https://cedge.in/about-us/)
Source: NPCI on X (formerly Twitter)
— NPCI_NPCI (@NPCI_NPCI)
According to an Economic Times article, NPCI was informed about the ransomware attack on July 26. “The restoration will happen today, it was a cautious move so that the rest of the payment system remains isolated from the fallout of the malware attack,” one of the persons cited in the article said. “C-Edge is also in the process of hiring a forensic auditor to investigate the matter.”
Update as of August 1, 2024
In a press release dated August 1, 2024 NPCI said, “NPCI connectivity with C-Edge Technologies Ltd. has been re-established following security review by an independent forensic auditing firm. Investigation confirms that the impacted systems have been isolated by C-Edge to contain potential spread of the ransomware. Further, necessary security review and scans have been conducted by the auditor to ensure that rest of the infrastructure is clean. The impact was limited to C-Edge systems hosted in their data center and not on any of the cooperative banks or regional rural banks’ own infrastructure. The services of co operative banks and regional rural banks, which were dependent on C-Edge, have now been restored. With this, respective banks shall be able to offer full range of services seamlessly to their customers, as it was before.”
What is ransomware attack
According to Sheetal R Bhardwaj, executive member of Association of Certified Financial Crime Specialists (ACFCS), “A ransomware attack is a type of cyberattack where malicious software, or malware, encrypts a victim’s data or locks them out of their systems. The attackers then demand a ransom payment in exchange for restoring access to the data or systems.” Ransomware attacks involve malicious software that encrypts files on a victim’s computer or network, rendering them inaccessible until a ransom is paid.
According to Sheetal, here are some key points about ransomware attacks:
- Encryption: The malware encrypts the victim’s files, making them inaccessible without a decryption key, which the attackers hold.
- Ransom Demand: Attackers demand a ransom, often in cryptocurrency, to provide the decryption key.
- Double and Triple Extortion: In more advanced attacks, attackers may also threaten to leak stolen data (double extortion) or use the stolen data to attack the victim’s customers or partners (triple extortion) if the ransom is not paid.
- Delivery Methods: Ransomware can be delivered through phishing emails, malicious websites, or exploiting vulnerabilities in software.
According to Indian Computer Emergency Response Team (CERT-IN) website as of July 31, 2024, “Ransomware is a category of malware that gains access to systems and makes them unusable to its legitimate users, either by encrypting different files on targeted systems or locking the system’s screen unless a ransom is paid. Ransomware actors also threaten to sell or leak any exfiltrated data, if the ransom is not paid.”
CERT-IN states, on its website, that although there are countless strains of ransomware, they mainly fall into two categories:
- Crypto Ransomware encrypts files on a computer so that they become unusable.
- Locker Ransomware blocks standard computer functions from being accessed.
According to CERT-IN Ransomware report 2022, Overall, there is 53% increase in Ransomware incidents reported in 2022 Year over Year. (https://www.cert-in.org.in/PDF/RANSOMWARE_Report_2022.pdf)
“IT & ITeS was a majorly impacted sector followed by Finance and Manufacturing. Ransomware players targeted critical infrastructure organisations and disrupted critical services in order to pressurise and extract ransom payments. Variant wise, Lockbit was a majorly seen variant in the Indian context followed by Makop and DJVU/Stop ransomware. Many new variants were observed in 2022 such as Vice society, BlueSky etc. Leaked Ransomware source codes are getting forked to launch new Ransomware brands,” said CERT-IN in the report.
CERT-IN also said in the report that “Ransomware restoration & recovery time is dependent upon multiple factors like level of infection, affected applications, availability of backups & images, and Business Continuity preparedness. Time, efforts and cost involved are very much significant even with the availability of safe backups.”