By Aman Rajak Cyber & Tactical Technology CTO Tech Sanrakshanam & SHOR Foundation Incident Response Lead, November 2025

🔴 Introduction: A Wake-Up Call for Indian Businesses

Cyberattacks in India have evolved. They no longer look like amateur phishing attempts or random malware infections. What we investigated at Ishwar Retail was something deeper — a multi-stage cyber operation executed with precision, patience, and professional discipline.

Over eight months, an attacker quietly infiltrated the organization, studied its systems, weakened its defenses, planted remote-access backdoors, and finally launched a LockBit-grade ransomware attack, encrypting 187+ business-critical files and destroying all system backups.

This incident is not just a case study — it is a mirror. A reflection of where Indian businesses stand in their cyber maturity… and how fast the threat landscape is evolving.

This is the full story.

🧩 1. The Attack That No One Saw Coming

According to the forensic report, the attack chain began in February 2025, when the threat actor impersonated official GINESYS Technical Support and convinced a staff member to install remote-access tools. From that moment, the attacker had:

Administrator-level access

Full visibility of the business systems

The ability to monitor financial, retail, and ERP workflows

Persistent control for eight straight months

This is what cybersecurity professionals call a long-dwell intrusion — the type associated with advanced groups, not opportunistic hackers.

The organization had no SIEM, no antivirus, no monitoring, and no user security training. This allowed the attacker to stay invisible.

⚙️ 2. The Day Everything Broke: October 27, 2025

At exactly 20:09 PM IST, the attacker uploaded a file named:

“WhatsApp Installer.exe” — but inside it was a LockBit Black ransomware variant, built by an operator known as Netekan.

In the next 10 minutes, the following happened:

Shadow copies deleted

Recovery disabled

187+ files encrypted

Ransom notes deployed

Backups destroyed

Entire ERP environment compromised

Encryption was executed using ChaCha20 + RSA-4096, a combination that is mathematically unbreakable without the attacker’s private key.

In simple words: No decryption is possible. The data is lost.

📉 3. Business Impact: A Domino Effect

The compromise shut down:

GINESYS ERP – Inventory, billing, POS, supply chain management

Financial systems – Accounting, reporting, bank data

Customer records – Personal information, purchase history, contact data

Operational documents – Contracts, employee records, vendor agreements

A ransomware attack is not just a technical disruption — it is a business crisis, a financial disaster, and a reputational threat.

The estimated financial impact easily crosses:

₹75 lakh – ₹6 crore+ (including downtime, recovery, forensics, legal, and revenue loss)

🕵️ 4. The Forensic Findings: What We Learned

Our investigation revealed several critical truths:

✔ The initial breach was social engineering.

A simple phone call pretending to be tech support.

✔ Over 30 remote-access tools were installed.

ScreenConnect, AnyDesk, and UltraViewer instances.

✔ Backups were stored on the same system.

And got encrypted with the rest.

✔ No antivirus was running on the machine.

The malware executed freely.

✔ No monitoring detected 8 months of unauthorized access.

Not a single alert was generated.

✔ Data exfiltration is highly likely.

Though the attacker covered their tracks, the risk remains.

If this sounds frightening, it should. But it is also a lesson.

🛡️ 5. The Recovery Strategy: What We Did Next

We executed a complete response operation:

1. Containment

Affected systems were isolated immediately.

2. Evidence Preservation

We captured logs, file metadata, user activity, and forensic artifacts.

3. Recovery

We initiated PhotoRec-based restoration — the only non-ransom recovery option.

4. System Rebuilding

Complete reinstallation of compromised systems.

5. 30/60/90-Day Hardening Plan

Covering backups, EDR, network segmentation, SIEM, policies, user training, and more.

6. Reporting to Authorities

Including national cybercrime agencies, CERT-In, and insurance channels.

This was a crisis — but it was contained.

🧠 6. The Real Lesson: Security Isn’t Optional

The most important truth from this incident:

This attack was 100% preventable.

If the organization had:

Basic antivirus

A 3-2-1 backup strategy

Staff training

Verification protocols

EDR or SIEM

MFA-enabled accounts

The attack could have been stopped at Phase 1.

But like many Indian businesses… security was seen as an expense, not an investment.

Today’s attackers are not kids with laptops — they are organized cybercrime groups, using:

Social engineering

Remote access tools

Fileless malware

Strong encryption

Ransomware-as-a-service networks

To defend against them, organizations need:

Policy

Maturity

Technology

Training

Monitoring

Leadership commitment

Not just tools.

🎖️ 7. Leadership, Trust & Mission

This investigation was high-pressure and time-critical. I am deeply grateful to Major Dhruval Varshney, whose trust and belief in my ability allowed me to lead this operation with full clarity and authority.

His support reinforced one thing:

Cybersecurity is not just a technical field — it is a mission. A responsibility. A commitment to protect.

🚀 8. Conclusion: Defenders Must Evolve Faster Than Attackers

The Ishwar Retail ransomware attack is a reminder that:

Threat actors are patient

Social engineering is deadly

Backups are your last line of defense

Ransomware is not decryptable

Prevention is always cheaper than recovery

Every Indian organization must upgrade its cyber posture — not next year, not next quarter, but now.

Because attackers don’t wait. They evolve every day. And defenders need to evolve twice as fast.