Cl0p Ransomware Operators have Struck Indiabulls Group, a well-established Indian Conglomerate – Data Leak

Update as on 07/01/2020: The CLOP ransomware operators released data leak part 3 of IndiaBulls Group.

Currently, our researchers are in progress of analyzing the leaked data

Update as on 06/26/2020: The CLOP ransomware operators released data leak part 2 of IndiaBulls Group.

It seems that the company still not been ready to comply with the terms of ransomware operators. Currently, our researchers are in progress of analyzing the leaked data.

Update as on June 06/24/2020: – Ransomware operators have released part 1 of the leaked data (around 4.75GB) and have threatened to release part 2 in the next 24 hours.

Cyble researchers analysed data leak part 1 and found-:

  • Aadhar card, voter ID, PAN Card, Passports, Driving License of customers
  • Customer loan details along with the property address against which loan has been taken, present address of customers along with their personal email IDs and mobile numbers
  • Indiabulls employee data which includes employee name, employee user IDs, official e-mail IDs, operating branch, and mobile numbers
  • Private keys and certificates for facilitating ENet services from bank(s)
  • Letters sent to banks requesting to open new current accounts along with names of the IndiaBulls account signatories.

Update as of 06/23/2020: Here the CLOP ransomware operators allegedly struck IndiaBulls Group, a well-established Indian conglomerate company.

Indiabulls Group was founded in 1999as a financial services company. Today, the Group has businesses spread across housing and consumer finance through independent and listed companies on Indian stock exchanges. With around 19,000 number of employees, the company has been earning an average revenue of 25,000 crore Indian rupees. Currently, the company has three operating divisions: Indiabulls Housing Finance Ltd, Indiabulls Ventures Ltd, and Indiabulls Real Estate Ltd.

As per now, the leaked data seems to be a warning by the ransomware operators to Indiabulls group to accept their terms within 24 hours. Otherwise, CLOP operators tend to leak a large lot of the company’s confidential data.

Just as in the case of previous data leaks, the Cyble Research Team has identified and analyzed the leaked documents. The current data leak includes snapshots of highly sensitive bank-related documents of the company such as account transaction details, vouchers, letters sent to bank managers, and much more. Below are few snapshots been leaked by the CLOP ransomware operators.

It should be further noted, that there is a recent public report suggesting that Indiabulls has a Citrix Netscaler ADC VPN gateway exposed, which is vulnerable to the CVE-2019-19781 vulnerability. At this stage, Cyble is unable to verify if this vulnerability was the cause of the breach.

The Cl0P ransomware operators came into the attention of the cybersecurity community in Feb 2019. The group modulus of operanda (i.e. OPPSEC) is similar to other groups such as Maze and Revil, whereby:

  • Acquire / initial entry point to organisations from other cybercriminals groups. In some instances, we have noticed the groups exploiting known remote vulnerabilities as well.
  • Once the initial access is acquired, the group typically attempts to learn more about their victim’s network and attempts to elevate its privileges to gain access to a large subset of the victim’s systems
  • They fully understand their victim’s reputational risks, and hence their approach is “steal, lock/encrypt and inform”. Like other ransomware groups such as Maze, Revil and others, the group communicated the ransomware note (typically) via email
  • If the victim fails to pay their ransomware, they leak/publish their data on their sites (hosted at darkweb).
  • There are public reports suggesting ties between the ransomware group to the TA505 threat actor. TA505 / SectorJ04 / Evil Corp is a known threat actor, known for targeting the financial sector, has been operating since 2014.

Some of the group’s recent activities are:

  • March 2020 – breached the UK-based Logistics Company, EV Cargo Logistics. Cyble detected and reported the breach.
  • March 2020 – breached ExecuPharma and stole 163 GB of data.

We recommend people to:

  • Never share personal information, including financial information over the phone, email or SMSs
  • Use strong passwords and enforce multi-factor authentication where possible
  • Regularly monitor your financial transaction, if you notice any suspicious transaction, contact your bank immediately.
  • Turn-on automatic software update feature on your computer, mobile and other connected devices where possible and pragmatic
  • Use a reputed anti-virus and internet security software package on your connected devices including PC, Laptop, Mobile

People who are concerned about their exposure in darkweb can register at to ascertain their exposure.

About Cyble:

Cyble is a US-based cyber threat intelligence company with the express mission to provide organizations with real-time views of their supply chain cyber threats and risks.

Scroll to Top