Cyber Incident Victim: Mahatma Gandhi Mission Hospital
Date:
Jul 2018
Location:
India
Summary
A ransomware attack targeted Mahatma Gandhi Mission Hospital in Navi Mumbai, encrypting its data and demanding payment in bitcoins for decryption keys. The incident occurred alongside similar attacks on a local hotel and a chartered accountant’s office, where attackers deployed malware via infected links or attachments to lock systems and extort funds. Data access was blocked until payment, with the attackers leveraging the urgency of sensitive information to pressure victims. The hospital’s case mirrored broader ransomware tactics observed in prior incidents, emphasizing encryption-based extortion and cryptocurrency demands. Investigations were initiated with cyber cell assistance, though tracking perpetrators remained challenging due to the attacks’ anonymous nature.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A ransomware attack targeted Mahatma Gandhi Mission (MGM) Hospital in Navi Mumbai on or around July 15, 2018. Cybercriminals encrypted the hospital's data systems, rendering critical information inaccessible. The attackers demanded payment in Bitcoin cryptocurrency in exchange for providing a decryption key to restore access. This incident occurred amid a localized surge in ransomware attacks across the Navi Mumbai region, with Hotel Three Star in Kharghar suffering a similar compromise approximately ten days prior to the hospital attack. The hospital's operational disruption followed a broader pattern of ransomware incidents affecting Maharashtra institutions, including a 2017 attack on Jawaharlal Nehru Port Trust and a 2016 Locky ransomware infection impacting 150 computers at Mantralaya, the state administrative headquarters.
The attackers employed typical ransomware delivery methods, likely deploying malicious software through phishing emails containing infected links or attachments. Once executed on hospital systems, the malware encrypted files and displayed instructions for Bitcoin payment. While specific technical details of MGM Hospital's detection timeline and containment measures were not publicly disclosed, the attack mirrored contemporaneous incidents where victims discovered encryption only upon attempting to access their systems. The Bhoiwada police registered a related First Information Report under Section 385 of the Indian Penal Code (extortion) and relevant Information Technology Act provisions following a separate ransomware attack on a Dadar-based chartered accountant's office three days after the hospital incident. Law enforcement noted the operational challenges in tracing cryptocurrency-based ransom demands and engaged cybercrime specialists for investigative support.