The AIIMS Delhi ransomware attack in November 2022 was a landmark cybersecurity incident in India, highlighting the critical vulnerabilities within the country’s essential infrastructure, particularly the healthcare sector.

1. Type of Attack: The AIIMS Delhi incident was a ransomware attack. This type of malicious software encrypts an organization’s data, making it inaccessible, and demands a ransom (usually in cryptocurrency) for a decryption key. In this case, the attack rendered critical hospital systems inoperable, forcing a complete shift to manual operations. Investigations also found that the targeted servers were infected with multiple ransomware strains, including Wammacry, Mimikatz, and Trojan.

2. Date and Time of Impact: The cyberattack was reported on November 23, 2022, around 7:00 AM IST, when the systems at AIIMS and its various centers were corrupted. The impact was immediate and severe, forcing the institution to switch to manual operations for patient care services, including registration, appointments, billing, and discharge. The disruption lasted for over two weeks, with services gradually being restored.

3. Origin of Attack and Attackers: While no official attribution was made regarding the specific group, initial investigations and media reports suggested links to IP addresses originating from China and Hong Kong, particularly from China’s Henan province. This led to speculation about state-sponsored cyber warfare. Some reports also specifically mentioned the LockBit ransomware gang as allegedly demanding the ransom, though this was not officially confirmed by AIIMS or the investigating agencies. The Delhi Police’s Intelligence Fusion and Strategic Operations (IFSO) cell registered a case under Section 66(F) of the Information Technology Amendment Act 2008, classifying it as an act of cyber-terrorism.

4. Data Loss/Impact: The attack encrypted approximately 1.3 terabytes of data across five physical servers of AIIMS. While the exact number of compromised patient records was not officially confirmed, reports indicated that records of up to 40 million patients could have been impacted. This highly sensitive data included patient names, ages, addresses, medical histories, diagnoses, lab reports, treatment details, and other Personally Identifiable Information (PII). The attack also affected research data and administrative information, posing a significant risk to patient confidentiality and potentially compromising the medical records of VIPs, including former prime ministers, ministers, bureaucrats, and judges. The primary and backup servers holding outpatient and research data were reportedly wiped.

5. Incident Response Against Attack: Upon detection, AIIMS immediately reported the incident to the authorities. A multi-agency investigation was launched, involving:

• Delhi Police’s Intelligence Fusion and Strategic Operations (IFSO) cell: Filed an FIR and initiated the criminal investigation.
• Computer Emergency Response Team (CERT-In): India’s national nodal agency for cybersecurity incidents, which played a crucial role in analyzing the attack, providing technical guidance, and assisting in recovery.
• National Informatics Centre (NIC): Responsible for the e-Hospital application system, they were deeply involved in the technical recovery.
• National Investigation Agency (NIA): Joined the probe due to the severity and potential “cyber-terrorism” angle.
• Intelligence Bureau (IB) and Central Bureau of Investigation (CBI): Also provided assistance in the investigation.
• Central Forensic Lab (CFSL): Engaged to analyze the infected servers and identify the malware’s source.
• Defense Research and Development Organization (DRDO): Provided technical support and, in some reports, new servers for immediate use.
• Bharat Electronics Ltd.(BEL): Provided technical support and, in restoration of IT infra and implementation of security solutions.

The hospital swiftly transitioned to manual operations for all patient care services to ensure continuity, albeit with significant delays and inconvenience. Internet services at AIIMS were blocked for several days as a precautionary measure.

6. Financial Loss: While AIIMS did not publicly confirm paying any ransom, the attackers allegedly demanded around INR 200 crore (approximately $24.5 million USD at the time) in cryptocurrency. The financial loss was primarily in terms of:

• Operational Disruption: The forced shift to manual operations for over two weeks led to significant inefficiencies, delays in treatment, and potential revenue loss for the hospital.
• Recovery Costs: Substantial resources were allocated for investigation, remediation, rebuilding IT infrastructure, acquiring new hardware (e.g., four new servers from DRDO), deploying enhanced cybersecurity measures, and engaging expert cybersecurity firms (like E&Y, which was already engaged prior).
• Reputational Damage: While difficult to quantify financially, the attack severely impacted public trust in the digital healthcare system and AIIMS’s ability to protect sensitive data.

7. How it Recovered and Agencies Involved: The recovery process was a complex, multi-pronged effort:

• Data Retrieval from Backups: The government confirmed that “all the data for e-Hospital has been retrieved from a backup server which was unaffected and restored on new servers.” This highlights the crucial role of robust and isolated backup systems.
• System Rebuilding and Sanitization: The affected servers and over 5,000 computers were scanned with antivirus software, and the network was sanitized. New servers were brought online.
• Manual Operations: The immediate shift to manual processes was crucial in managing patient care during the outage, minimizing direct harm to patients despite the inconveniences.
• Phased Restoration of Services: Most functions of the e-Hospital application (patient registration, appointments, admission, discharge) were gradually restored over two weeks.
• Enhanced Security Measures: Following the attack, AIIMS initiated efforts to strengthen its cybersecurity posture. This included a re-evaluation of its network architecture, which was reportedly found to have “too many loopholes” and was not designed by cybersecurity professionals. There was a push to assign a dedicated cybersecurity officer and senior IT professionals to manage IT-related tasks, ending a reported 30-year jinx. The government also formulated a National Cybersecurity Response Framework (NCRF) to address critical infrastructure vulnerabilities, drawing lessons from the AIIMS incident.

The recovery was a collaborative effort involving the agencies mentioned in point 5 (Delhi Police, CERT-In, NIC, NIA, IB, CBI, CFSL, DRDO, BEL), alongside AIIMS’s internal IT teams and potentially external cybersecurity consultants. The incident served as a stark wake-up call for India’s critical information infrastructure, prompting a reassessment of cybersecurity strategies and a push for greater preparedness.

Facebook

📞 Cybercrime Helpline: Dial 1930 (Available 24/7)
🌐 Report Online: www.cybercrime.gov.in
🏦 Bank Fraud: Contact your bank’s customer care and RBI Ombudsman at www.rbi.org.in
📩 Fake Trading/Investment Scams: Report to SEBI via www.scores.gov.in