Cyber Incident Victim: Racingpulse.in
Date:
Jan 2017
Location:
India
Summary
A popular Indian horse racing website was compromised by hackers deploying a new variant of Dharma ransomware, resulting in the encryption of all its data. The attackers displayed a ransom note demanding payment in Bitcoin, providing detailed instructions on acquiring the cryptocurrency and offering to decrypt up to three non-critical files under 10MB as proof of capability. The note included a dedicated email address for communication. This incident marked the third attack on the site within a week, with prior breaches mitigated through backup restoration. Following the repeated compromises, the website's administrators planned to migrate servers in an effort to enhance security measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 21, 2017, Racingpulse.in, a prominent Bangalore-based horse racing website, suffered a ransomware attack that encrypted its entire dataset. Hackers defaced the homepage with a message claiming responsibility and demanding payment in Bitcoin for decryption, though the exact ransom amount remained unspecified. The note instructed the site’s operators to contact [email protected], an India.com-registered email address, for further negotiations. To demonstrate credibility, the attackers offered to decrypt up to three non-critical files for free, provided they totaled less than 10MB in size. The message included detailed instructions on purchasing Bitcoin through LocalBitcoins.com and CoinDesk, emphasizing urgency by linking the ransom cost to response time. Security analysts identified the malware as a new variant of the Dharma ransomware, which typically spreads via phishing emails containing fraudulent financial or social network-themed attachments. Racingpulse.in’s editor, Sharan Kumar, confirmed this was the third attack on the site within a week, with prior incidents mitigated by restoring data from backups.
The attack forced Racingpulse.in to temporarily suspend operations while migrating to a new server in an effort to enhance security. Kumar disclosed that despite hosting servers in the United States, the site remained vulnerable to repeated breaches, underscoring broader cybersecurity challenges. The ransomware’s encryption rendered all site data inaccessible, disrupting services for an unspecified user base reliant on racing information and updates. No customer data compromise was explicitly reported, but operational continuity depended solely on decryption or backup restoration. The migration process was projected to take approximately one day, during which the site remained offline. Kumar’s decision to switch servers reflected a containment strategy aimed at preventing further attacks, though the efficacy of this measure was not detailed in available reports. The incident highlighted persistent targeting of the platform and the attackers’ focus on financial extortion through data immobilization.