Trending

ee-track">

Cl0p Ransomware Operators have Struck Indiabulls Group, a well-established Indian Conglomerate – Data Leak

Update as on 07/01/2020: The CLOP ransomware operators released data leak part 3 of IndiaBulls Group.

Screen Shot 2020 07 01 at 4.43.01 pm

Currently, our researchers are in progress of analyzing the leaked data

Update as on 06/26/2020: The CLOP ransomware operators released data leak part 2 of IndiaBulls Group.

Screen Shot 2020 06 26 at 12.08.24 am

It seems that the company still not been ready to comply with the terms of ransomware operators. Currently, our researchers are in progress of analyzing the leaked data.

Update as on June 06/24/2020:Ransomware operators have released part 1 of the leaked data (around 4.75GB) and have threatened to release part 2 in the next 24 hours.

Screen Shot 2020 06 25 at 12.15.23 am 1

Cyble researchers analysed data leak part 1 and found-:

report-ad-banner
  • Aadhar card, voter ID, PAN Card, Passports, Driving License of customers
  • Customer loan details along with the property address against which loan has been taken, present address of customers along with their personal email IDs and mobile numbers
  • Indiabulls employee data which includes employee name, employee user IDs, official e-mail IDs, operating branch, and mobile numbers
  • Private keys and certificates for facilitating ENet services from bank(s)
  • Letters sent to banks requesting to open new current accounts along with names of the IndiaBulls account signatories.
Screen Shot 2020 06 25 at 12.57.25 am 1
Screen Shot 2020 06 25 at 12.57.38 am 1
Screen Shot 2020 06 25 at 12.57.43 am 1
Screen Shot 2020 06 25 at 12.58.23 am 1
Screen Shot 2020 06 25 at 12.57.31 am 1
Screen Shot 2020 06 25 at 1.06.37 am 1

Update as of 06/23/2020: Here the CLOP ransomware operators allegedly struck IndiaBulls Group, a well-established Indian conglomerate company.

Indiabulls Group was founded in 1999as a financial services company. Today, the Group has businesses spread across housing and consumer finance through independent and listed companies on Indian stock exchanges. With around 19,000 number of employees, the company has been earning an average revenue of 25,000 crore Indian rupees. Currently, the company has three operating divisions: Indiabulls Housing Finance Ltd, Indiabulls Ventures Ltd, and Indiabulls Real Estate Ltd.

As per now, the leaked data seems to be a warning by the ransomware operators to Indiabulls group to accept their terms within 24 hours. Otherwise, CLOP operators tend to leak a large lot of the company’s confidential data.

Screen Shot 2020 06 23 at 10.29.09 am

Just as in the case of previous data leaks, the Cyble Research Team has identified and analyzed the leaked documents. The current data leak includes snapshots of highly sensitive bank-related documents of the company such as account transaction details, vouchers, letters sent to bank managers, and much more. Below are few snapshots been leaked by the CLOP ransomware operators.

Screen Shot 2020 06 23 at 10.39.15 am
Screen Shot 2020 06 23 at 10.39.23 am
Screen Shot 2020 06 23 at 10.39.30 am

It should be further noted, that there is a recent public report suggesting that Indiabulls has a Citrix Netscaler ADC VPN gateway exposed, which is vulnerable to the CVE-2019-19781 vulnerability. At this stage, Cyble is unable to verify if this vulnerability was the cause of the breach.

The Cl0P ransomware operators came into the attention of the cybersecurity community in Feb 2019. The group modulus of operanda (i.e. OPPSEC) is similar to other groups such as Maze and Revil, whereby:

  • Acquire / initial entry point to organisations from other cybercriminals groups. In some instances, we have noticed the groups exploiting known remote vulnerabilities as well.
  • Once the initial access is acquired, the group typically attempts to learn more about their victim’s network and attempts to elevate its privileges to gain access to a large subset of the victim’s systems
  • They fully understand their victim’s reputational risks, and hence their approach is “steal, lock/encrypt and inform. Like other ransomware groups such as Maze, Revil and others, the group communicated the ransomware note (typically) via email
  • If the victim fails to pay their ransomware, they leak/publish their data on their sites (hosted at darkweb).
  • There are public reports suggesting ties between the ransomware group to the TA505 threat actor. TA505 / SectorJ04 / Evil Corp is a known threat actor, known for targeting the financial sector, has been operating since 2014.

Some of the group’s recent activities are:

We recommend people to:

  • Never share personal information, including financial information over the phone, email or SMSs
  • Use strong passwords and enforce multi-factor authentication where possible
  • Regularly monitor your financial transaction, if you notice any suspicious transaction, contact your bank immediately.
  • Turn-on automatic software update feature on your computer, mobile and other connected devices where possible and pragmatic
  • Use a reputed anti-virus and internet security software package on your connected devices including PC, Laptop, Mobile

People who are concerned about their exposure in darkweb can register at AmiBreached.com to ascertain their exposure.

About Cyble:

Cyble is a US-based cyber threat intelligence company with the express mission to provide organizations with real-time views of their supply chain cyber threats and risks.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams