Full Report
This is to inform you of a potential cyber security incident caused by suspected ransomware attack on the Company’s IT infrastructure & network, identified on May 16, 2026. Independent firm specialized in Forensic assessment has been engaged to identify the root cause of the incident. Intimation in this regard also has been made to CERT-in. Based on the initial assessment, the incident has not impacted on the continuity of our business and operations and there doesn't appear to be any material impact on the Company's operations. This disclosure is being made as a measure of good governance, for your kind information and records. https://nsearchives.nseindia.com/corporate/3IINFOTECHLTD_18052026155404_Disclosure.pdf
Analysis Summary
# Incident Report: Suspected Ransomware Attack on 3i Infotech Ltd.
## Executive Summary
On May 16, 2026, 3i Infotech Ltd. identified a potential cybersecurity incident involving a suspected ransomware attack on its IT infrastructure and network. Initial assessments indicate that business continuity and operations have not been materially impacted. The company has engaged external forensic experts and notified regulatory authorities to determine the root cause.
## Incident Details
- **Discovery Date:** May 16, 2026
- **Incident Date:** Suspected May 16, 2026 (or shortly prior)
- **Affected Organization:** 3i Infotech Ltd.
- **Sector:** Information Technology (IT) Services
- **Geography:** India
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed/Under investigation.
- **Vector:** Suspected ransomware; specific entry vector (e.g., phishing, RDP exploit) is currently undergoing forensic evaluation.
- **Details:** The incident targeted the company's internal IT infrastructure and network.
### Lateral Movement
- Details regarding lateral movement are currently undisclosed pending the results of the forensic assessment.
### Data Exfiltration/Impact
- **Status:** Initial assessment suggests no material impact on business continuity. There is currently no confirmed evidence of data exfiltration, though this remains a point of tracking for the investigation.
### Detection & Response
- **May 16, 2026:** Incident identified by the internal IT team.
- **May 18, 2026:** Formal disclosure filed with the National Stock Exchange (NSE); CERT-In notified.
- **Ongoing:** Independent forensic firm performing root cause analysis.
## Attack Methodology
*Note: Specific technical details have not been released due to the ongoing nature of the investigation.*
- **Initial Access:** Suspected Ransomware.
- **Persistence:** Under Investigation.
- **Privilege Escalation:** Under Investigation.
- **Defense Evasion:** Under Investigation.
- **Credential Access:** Under Investigation.
- **Discovery:** Under Investigation.
- **Lateral Movement:** Under Investigation.
- **Collection:** Under Investigation.
- **Exfiltration:** No material impact reported to date; under assessment.
- **Impact:** Encryption of IT infrastructure (attempted or partial).
## Impact Assessment
- **Financial:** No material impact reported at the time of disclosure.
- **Data Breach:** Under investigation; volume and type of data involved are currently TBD.
- **Operational:** Low; business continuity has been maintained.
- **Reputational:** Moderate; as an IT services provider, security posture is a key client trust factor.
## Indicators of Compromise
- **Network indicators:** None disclosed (investigation ongoing).
- **File indicators:** None disclosed (investigation ongoing).
- **Behavioral indicators:** Abnormal network activity within IT infrastructure leading to the identification of ransomware.
## Response Actions
- **Containment measures:** Isolation of affected IT infrastructure and network segments upon detection on May 16.
- **Eradication steps:** Engagement of an independent forensic assessment firm to identify and remove the threat.
- **Recovery actions:** Validation of system integrity to ensure business continuity; notification provided to CERT-In.
## Lessons Learned
- **Early Detection:** The ability to identify the threat on May 16 prevented a "material impact" on operations, highlighting the value of monitoring.
- **Transparency:** Proactive disclosure to the stock exchange and regulators (CERT-In) even when the impact is non-material supports good governance and maintains stakeholder trust.
## Recommendations
- **Zero Trust Architecture:** Implement strict segmentation between corporate IT networks and client-facing service environments.
- **Endpoint Detection & Response (EDR):** Ensure comprehensive coverage of all internal servers to catch ransomware activities before encryption begins.
- **Audit Access:** Review all remote access logs (VPN/RDP) for the 48 hours preceding May 16 to identify potential compromised credentials.
- **Backup Verification:** Perform an immediate "heartbeat" check on off-site, immutable backups to ensure rapid recovery if the situation escalates.