Investigators search for source of ransomware attack on AIIMS servers

System yet to be fully restored as more damage is anticipated if it is linked to the Internet; attackers changed file extensions for all physical servers; over 11,000 computers to be scanned

December 04, 2022 09:29 pm | Updated December 05, 2022 08:54 am IST

Patients and their relatives seen outside the AIIMS hospital, in New Delhi on Sunday morning.

Patients and their relatives seen outside the AIIMS hospital, in New Delhi on Sunday morning. | Photo Credit: SUSHIL KUMAR VERMA

Two weeks after a cyber attack crippled the servers at the All India Institute of Medical Sciences (AIIMS), the system has not been completely restored as investigators anticipate more damage if it is linked to the Internet. The file extensions for all the physical servers of AIIMS running on Operating System Linux were changed by the ransomware attackers, a probe has found. 

A senior government official told The Hindu that to trace the source of the attack, investigators have a huge task of scanning 11,500 computers with a fine-tooth comb as the system will continue to be affected till then.

A First Information report (FIR) filed by the Special Cell of Delhi Police on a complaint filed by an AIIMS security officer said that the hospital had been subjected to a “deliberate” ransomware attack. The FIR states that one of the officials received three attachments from e-mail users identifying themselves as “dog” and “mouse” seeking a ransom of an unspecified amount. The users asked AIIMS officials that they could send “program and private key” to the IT department of AIIMS to “decrypt the data” and warned the officials to not use third-party software to repair the system as it may lead to permanent data loss. 

The FIR added that the “Hospital Information System (HIS) of AIIMS, e-Hospital” provided and managed by the National Informatics Centre (NIC) was down and the last transaction had been recorded at 7.07 a.m. on November 23. The HIS pertains to patient records, including line of treatment. 

As soon as the attack was diagnosed, NIC officials reported the incident on the toll-free number of Computer Emergency Response System-India (CERT-IN). 

Another government official said the source of the attack is yet to be ascertained amid indications that it could have been launched from one of the neighbouring countries. 

“Even if it is a ranswomware attack, it is not the policy of the government to pay ransoms. Agencies are probing the incident and it [the HIS] will be restored soon,” said the official.

The official added that the cyber system at AIIMS was prone to breach without adequate firewalls and safety features in place. 

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.