A sophisticated ransomware attack targeting C-Edge Technologies, a joint venture between TCS and SBI that provides core banking technology to hundreds of Indian cooperative banks, has resulted in the exposure of sensitive data belonging to 2.8 million bank customers. The attack, attributed to the RansomEXX ransomware group, encrypted C-Edge's servers and exfiltrated customer data before the encryption was deployed — a double extortion technique that has become standard practice among sophisticated ransomware operators.
Scale and Impact of the Attack
The attack affected 500 cooperative banks across 17 Indian states, with the highest concentration in Maharashtra, Gujarat, and Uttar Pradesh. The compromised data includes customer names, addresses, Aadhaar numbers, PAN card numbers, account numbers, transaction histories, and in some cases, loan application details including income information and property documents. The National Payments Corporation of India (NPCI) took the precautionary step of disconnecting all affected banks from the UPI payment network, temporarily blocking millions of transactions.
The disruption lasted approximately 72 hours before partial services were restored. During this period, customers of affected banks were unable to make UPI payments, access ATMs, or conduct online banking. For many customers in rural areas where these cooperative banks are the primary financial institution, this represented a complete loss of access to their funds during a critical period.
How the Attack Was Executed
Forensic analysis by CERT-In and private cybersecurity firms revealed that the attackers gained initial access to C-Edge's network through a phishing email sent to an employee with privileged access to the core banking system. The email contained a malicious attachment that installed a remote access trojan, giving the attackers persistent access to the network. Over the following three weeks, the attackers moved laterally through the network, escalating privileges and mapping the infrastructure before deploying the ransomware payload.
The attackers demonstrated sophisticated knowledge of C-Edge's network architecture, suggesting either extensive reconnaissance or the involvement of an insider. They specifically targeted backup systems before encrypting primary data, ensuring that recovery would be difficult and maximizing pressure on the victim to pay the ransom. The ransom demand was 50 million dollars in cryptocurrency, which C-Edge and the affected banks declined to pay.
The Dark Web Data Leak
Following the refusal to pay the ransom, the attackers published a sample of the stolen data on a dark web forum as proof of their claims. The sample included account details and transaction records for approximately 10,000 customers. Cybersecurity researchers who analyzed the sample confirmed its authenticity, noting that the data appeared to be genuine and recent. The full dataset of 2.8 million records was subsequently offered for sale on multiple dark web marketplaces at prices ranging from 50,000 to 200,000 dollars.
The exposure of Aadhaar numbers is particularly concerning because Aadhaar is used as a universal identity document in India and is linked to bank accounts, mobile numbers, and government benefit schemes. Criminals with access to Aadhaar numbers can potentially use them to open fraudulent bank accounts, apply for loans, or access government benefits in the victim's name. The UIDAI has been notified and is monitoring for suspicious activity linked to the exposed Aadhaar numbers.
Regulatory Response
The Reserve Bank of India has issued emergency guidelines requiring all banks and banking technology providers to conduct immediate security audits and implement enhanced monitoring for suspicious activity. The RBI has also mandated that all core banking system providers implement multi-factor authentication for all administrative access, network segmentation to limit lateral movement, and immutable backup systems that cannot be encrypted by ransomware.
CERT-In has launched a formal investigation and has shared indicators of compromise with all financial institutions to help them detect and respond to similar attacks. The Ministry of Finance has convened an emergency meeting of banking regulators and cybersecurity officials to assess the systemic risk posed by the concentration of banking technology in a small number of third-party providers.
What Affected Customers Should Do
Customers of affected banks should take several immediate steps to protect themselves. First, monitor bank statements carefully for any unauthorized transactions and report them immediately to the bank. Second, be alert for phishing attempts — criminals with access to your personal information may use it to craft convincing phishing messages. Third, consider placing a credit freeze with credit bureaus to prevent fraudulent loan applications in your name. Fourth, if you use the same password for banking as for other services, change all passwords immediately.
The incident highlights the critical importance of cybersecurity investment in India's banking sector, particularly among smaller cooperative banks that often lack the resources to implement enterprise-grade security measures. The concentration of technology services in a small number of providers creates systemic risk — a single successful attack can simultaneously compromise hundreds of institutions.
