The attack affected a leading banking technology provider and forced the National Payments Corporation of India to shut down payments at impacted banks.

C-Edge Technologies — a State Bank of India (SBI) and Tata Consultancy Services (TCS) joint venture — has suffered a ransomware attack, disrupting payment systems in nearly 300 small banks in India.

The company, which caters to payment technologies and solutions to Indian banks in the cooperative and regional sectors, has suffered the attack through a third party, Brontoo Technology Solutions, according to a CloudSEK research.

“CloudSEK’s threat research team is actively monitoring a major ransomware attack that has disrupted India’s banking ecosystem, affecting banks and payment providers,” said CloudSEK in the study. “The attack has primarily impacted Brontoo Technology Solutions, a key collaborator with C-EDGE.”

The attack is reportedly preventing, at the time of publishing this article, customers of all these banks from accessing payment services like withdrawing cash at ATMs or using UPI.

NPCI shut down retail payments

In response to the attack, the National Payments Corporation of India (NCPI) — the entity operating retail payments and settlement systems in India — has shut down payment operations of the affected banks and is currently reviewing the situation.

“It has been brought to NPCI’s notice that C-Edge Technologies Ltd has been possibly impacted by a Ransomware attack impacting a few of their systems,” NPCI said in a statement. “To prevent larger impact to the payment ecosystem, NPCI has temporarily isolated C-Edge Technologies from accessing the retail payment systems operated by NPCI. Customers of banks serviced by C-Edge will not be able to access payment systems during the period of isolation.”

A security review is underway and restoration of connection to affected banks and normal operations can be expected at the earliest, NPCI added.

India has an extensive network of around 1,500 cooperative and regional banks that mainly serve customers in rural and semi-urban areas. Despite their numbers, they account for only about 0.5% of the country’s payment system volumes, minimizing the overall impact of the attack.

Encryption attributed to RansomEXX

The attack has been carried out by the notorious RansomEXX v2.0 group, known for targeting large organizations with substantial ransom demands, according to CloudSEK.

“Through thorough investigation and leveraging sensitive sources, CloudSEK has confirmed that the ransomware group responsible for this attack is RansomEXX,” CloudSEK said. “Our extensive engagement with the affected banking sector in India facilitated this determination.”

The AI-powered, threat intelligence firm said the attack happened through a misconfigured Jenkins server, an open-source automation tool for developers to build, test, and deploy software, by exploiting a vulnerability (CVE-2024-23897) to gain unauthorized access.

“According to the report filed by Brontoo Technology Solutions with CertIn(Indian Computer Emergency Response Team) it was mentioned that the attack chain started at a misconfigured Jenkins server,” CloudeSEK added. “CloudSEK threat research team was able to identify the affected Jenkins server and subsequently the attack chain.” While the situation is still evolving and negotiations with the ransomware group are probably underway, the ransomware group has a history of making extravagant ransom demands, and we anticipate a similar approach in this case, CloudSEK added.