Cyber Incident Victim: Indian Institute of Technology Madras
Date:
Feb 2020
Location:
India
Summary
A ransomware attack targeted IIT Madras, encrypting files on the institution's internet and Command and Control servers, with a message demanding payment for decryption via specified email addresses. The malware primarily affected Windows systems, prompting warnings to back up critical data immediately. While the institute asserted that email servers were restored using backups and no data was lost, students expressed concerns about potential unrecovered research information. The director confirmed the temporary email server outage and ongoing investigation but did not address broader ransomware allegations. Cybersecurity experts noted prior vulnerabilities across IIT systems, characterizing the incident as consistent with historical security weaknesses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around February 19, 2020, the Indian Institute of Technology Madras (IIT Madras) experienced a suspected ransomware attack targeting its internet infrastructure and Command and Control servers. Students and researchers discovered encrypted files accompanied by a message displaying crossbones and the warning: "All your files have been encrypted." The attackers demanded payment via email communication to [email protected] or [email protected], instructing users to provide their IDs for ransom pricing. Payment would allegedly result in decryption tools and instructions, with explicit warnings against using antivirus software or third-party decryption attempts to avoid permanent data loss. The IIT Madras Students' General Secretary circulated an urgent email acknowledging a "serious attack" affecting campus computers, specifically targeting Windows systems, and advised immediate backup of critical data from labs and personal rooms.
IIT Madras initially confirmed an email server outage under investigation but emphasized all email data was backed up and would be restored promptly. Director Bhaskar Ramamurthy later stated only one email server experienced temporary downtime, with no mail loss or impact on other services. Cybersecurity professional Manu Zachariah identified the incident as a ransomware attack, noting historical vulnerabilities across IIT servers. Despite official assurances, students expressed concerns about unrecovered research data without ransom payment. The institute did not address further inquiries about ransomware specifics, creating ambiguity regarding the attack's full scope beyond email systems. No confirmed data loss or ransom payment was disclosed in available reports.