“Through thorough investigation and leveraging sensitive sources, CloudSEK has confirmed that the ransomware group responsible for this attack is RansomEXX,” CloudSEK said. “Our extensive engagement with the affected banking sector in India facilitated this determination.”

The AI-powered, threat intelligence firm said the attack happened through a misconfigured Jenkins server, an open-source automation tool for developers to build, test, and deploy software, by exploiting a vulnerability (CVE-2024-23897) to gain unauthorized access.

“According to the report filed by Brontoo Technology Solutions with CertIn(Indian Computer Emergency Response Team) it was mentioned that the attack chain started at a misconfigured Jenkins server,” CloudeSEK added. “CloudSEK threat research team was able to identify the affected Jenkins server and subsequently the attack chain.” While the situation is still evolving and negotiations with the ransomware group are probably underway, the ransomware group has a history of making extravagant ransom demands, and we anticipate a similar approach in this case, CloudSEK added.