Indian IT services provider SRM Technologies appears to have been hit with a ransomware attack by the BlackCat gang. The group says a successful phishing attack enabled it to gain access to SRM’s systems.

SRM Technologies ransomware
IT Services Provider SRM Technologies has apparently fallen victim to a ransomware attack (Photo by
Hispanolistic/iStock)

It is not yet clear how much damage has been inflicted on the company’s system in the attack, which was revealed overnight.

SRM Technologies is an IT services provider based in India, with offices in the US and Japan. The company was founded in 1998 and works with customers in industries including automotive, industrial, retail and education on digital transformation and other IT projects.

Attacks on IT services providers can have wide-ranging consequences, as the businesses often have access to the systems of their clients, meaning a breach can be used as a springboard for a supply chain attack such as the SolarWinds breach.

Tech Monitor has contacted SRM Technologies for a response to the allegations.

SRM Technologies ransomware attack: how it happened

According to BlackCat, a fraudulent email was sent to four employees at SRM Technologies, including the head of cloud engineering Ramkumar Dilli. It warns of an ongoing cyberattack, stating that some of the company’s files had already been encrypted.

BlackCat’s victim blog on the dark web displays the phishing email and what purports to be Dilli’s response.

The email reads: “Important files on your network was ENCRYPTED and now they have “egdd8rl” extension. In order to recover your files you need to follow the instructions below.”

The rest of the email implores recipients to act quickly and includes a list of the data that has apparently been lost.

Dilli then appears to reply to the email, forwarding it to the IT department along with a message thanking them for their support and diligence.

Hours later the gang says it reached out to Dilli himself on LinkedIn, informing him that SRM Technologies had been the victim of a ransomware attack and that he was the source of the breach.

The dark web blog has also posted the name of the company, underneath which is the message, “You have been compromised. We have your data. Your servers are down. Thanks to Ramkumar Dilli for the opportunity.”

Malware researcher Dominic Alvieri posted the leak on Twitter along with screenshots of the dialogue between BlackCat and the head of cloud engineering. “The employee facilitated access with poor cybersecurity skills,” he says.

What is BlackCat?

BlackCat was spotted in November last year, and since then has racked up a long list of victims including, earlier this month, global gaming platform Roblox and gamer producer Bandai Namco.

Researchers including Cisco Talos have postulated that the gang may have members of notorious malware families BlackMatter and DarkSide.

It has been observed soliciting for affiliates in known cybercrime forums, offering to allow these hackers to leverage its malware and keep 80-90% of the ransom payment, according to a report by Unit42, the research arm of security company Palo Alto Networks.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Ransomware groups are getting smaller and smarter