Dr Reddy’s works to restore systems after ransomware attack

The Indian pharmaceutical manufacturer is still unsure whether the attack resulted in a data breach.

locked data / bitcoins
Metamorworks / Nature / Getty Images

Pharmaceutical manufacturer Dr Reddy’s acknowledged Wednesday that it had suffered a ransomware attack.

The Hyderabad-based company experienced an information security incident on Oct. 22, forcing the company to isolate affected IT services, it reported to the National Stock Exchange of India on Wednesday.

“This incident involved a ransomware attack. We promptly engaged leading outside cybersecurity experts, launched a comprehensive containment and remediation effort and investigation to address the incident,” the company said.

The attack came days after Dr Reddy’s received approval to conduct clinical trial of a vaccine for the virus that causes COVID-19.

Ransomware is a form of malware that encrypts files on the machines it attacks, demanding that victims pay a fee to unlock them. It has existed for decades, but has become particularly prevalent in recent years—and India consistently ranks among the countries most severely affected.

So far, the Dr Reddy’s has been unable to determine whether the incident resulted in the disclosure of any personally identifiable information stored in its systems.

“Recovery and restoration of all applications and data is underway. All critical operations are being enabled in a controlled manner,” the company told the NSE.

While individuals affected by malware may be upset to lose their vacation photos and old tax returns, the situation is far more critical for enterprises.

As long ago as 2016, Indian manufacturing companies were concerned about ransomware, with some putting it at the top of their security agenda.

User education was one of the key lines of defence they evoked. Ransomware often enters enterprise environments as a result of human vulnerabilities rather than technical ones, when users are manipulated into clicking on malicious links or email attachments.

That’s still true today. As Chester Wisniewski, principal research scientist at security firm  Sophos, told CSO earlier this year, “Although cloud providers and security vendors are doing their best to make it easy to collect, analyze and draw attention to the most important threats, the primary defence against modern ransomware requires humans in addition to tools.”

India fares particularly badly when it comes to ransomware: In a survey published earlier this year, Sophos ranked India second worldwide for ransomware attacks on the public cloud.

Another report from the same company, “The State of Ransomware 2020,” found that 82% of organizations in India reported suffering a ransomware attack in the past year—more than any other country. Indian companies were most likely (66%) to pay the ransom, making the company a lucrative target for cybercriminals.

Secure backups are one way to avoid the cost of paying a ransom. Cybersecurity insurance is another: Sophos found that 94% of respondents in India had such insurance, with 80% covered for ransomware attacks. (Only China had more companies insured against ransomware.)

The COVID-19 connection

Dr Reddy’s wasn’t the first Indian medical company to experience a security incident. Earlier this month, Australian security expert Sami Toivonen disclosed to TechCrunch that Dr Lal PathLabs left millions of patient records on an Amazon Web Services (AWS) repository unprotected without a password for months.

The data, stored as spreadsheets, contained patients’ names, addresses, gender, dates of birth and mobile numbers, in addition to specifics of medical tests patients had undergone. What makes patient data a particularly critical asset is the fact that unlike compromised phone numbers and credit card information, medical records like existing health conditions, previous illnesses and blood groups cannot be changed.

Cybersecurity expert Rohit Srivastwa, Founder of ClubHack and formerly a senior director at Quick Heal, observed that hospitals and healthcare companies are in the crosshairs because they are running against time to develop COVID-related treatments and vaccines, and are therefore more likely to pay a ransom to restore their data and meet approaching deadlines.

“Healthcare companies cannot afford downtime at this point in time, so they give in to attackers’ demands and cough up the ransom. This leads to more targeted attacks on healthcare and pharma companies,” he said.

With the ransomware attack on Dr Reddy coming days after the company revealed it would begin clinical trials of a COVID-19 vaccine, Srivastwa said, “Considering the rise we’re seeing in nation-state attacks, it’s not impossible that COVID-related angle could be a reason behind the targeted attack.”

The onus is on CISOs

A CISO’s job has never been an easy one and the COVID-19 outbreak has only made it harder still. Srivastwa said that one of the biggest challenges CISOs are faced with comes from “being stuck in the rut” with respect to carrying out daily activities. This added to the lack of visibility makes it even more challenging.

“Proper visibility and continuous monitoring of what’s going on within the company’s environment will show you that something is going wrong somewhere. Unless and until you know what you’re protecting, you cannot secure your company,” he said.

In addition to this, he explained that security budgets in India are always seen as a cost center, and because of this, organizations tend to cut corners.

Atul Prakash, Cyber Defense Architect at Hewlett Packard Enterprise, minced no words when he said, “Indian cybersecurity professionals keep longing to becoming CISOs, heads of security, and directors of security without having any real time tactical leadership experience with security operations, designs, and implementation.”

He added that most security professionals in the country only work on compliance-related projects like GDPR, ISO, and PCI. “More than budgets, inexperienced cybersecurity leadership is the issue,” he concluded.


Copyright © 2020 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022