National Health Mission Cyberattack: Knight Ransomware Group Takes Responsibility

In a concerning turn of events, the notorious Knight ransomware group has openly declared its involvement in the recent National Health Mission cyberattack.

This announcement came via a dark web channel commonly frequented by such threat actors. The Knight ransomware group shared this update on their own dark web channel where they added some screenshots of National Health Mission cyberattack claims. 

The National Health Mission, an important initiative launched by the government of India in 2005, incorporated the National Rural Health Mission and the National Urban Health Mission. Its mandate was further extended until March 2020. 

As an integral part of the Department of Health & Family Welfare under the Government of Uttar Pradesh, any breach of the National Health Mission’s security would undoubtedly have significant repercussions.

National Health Mission Cyberattack: Confirming the Claims

The Cyber Express also reached out to the Department of Health & Family Welfare regarding the alleged National Health Mission cyberattack. However, at the time of writing this, no official statement or response has been received from the ministry. This leaves the claims of the alleged National Health Mission cyberattack stand unverified. 

The National Health Mission cyberattack is just the tip of the iceberg as the Indian government faced multiple cyber intrusions from different threat actors. Just last year, there were reports of data breaches in India’s CoWIN vaccine portal.

While the head of the National Health Authority, R.S. Sharma asserted the portal’s robust security infrastructure, the data leak, exposing the sensitive information of millions, was a reminder of the vulnerabilities faced by the Indian government. 

This National Health Mission cyberattack, encompassing names, Aadhaar national IDs, mobile numbers, voter IDs, passports, and COVID-19 vaccination records, marked one of India’s largest data exposures. It followed a series of other breaches involving CoWIN and Aadhaar data, as well as records from a prominent Delhi-based hospital.

Knight Ransomware Group: Origin and Modus Operandi

CloudSEK’s Threat Research team recently revealed crucial findings about the Knight Ransomware group, formerly known as Cyclops. Emerging in May 2023, this group spent three years developing a highly versatile ransomware capable of infiltrating major platforms like Windows, Linux, macOS, ESXi, and Android. 

Operated by an entity known as easy22go, this Ransomware-as-a-Service (RaaS) is promoted on online forums. Notably, it is coded in Golang. This innovative malware not only encrypts data but also enables exfiltration, revolutionizing ransomware attacks.

The group, rooted in Russia and Europe, is currently focused on perfecting the software for potential affiliates and recruiting individuals skilled in propagation techniques like phishing and social engineering.

They offer tailored versions for small-scale targets and phishing, as well as a comprehensive version for builders and stealers. Additionally, the Knight gang claims connections with other ransomware groups including Lockbit and Babuk.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.