Ransomware Attack on IL&FS

LOCKBIT Ransomware Group Strikes Third Indian Conglomerate in February 2023

LOCKBIT, the most nefarious ransomware group, claimed to have compromised the networks of an Indian investment company, Infrastructure Leasing & Financial Services Limited (IL&FS), on February 28, 2023.

IL&FS was in the news in 2018 for their troubled financial health leading to a grave NBFC financial crisis and liquidity drought that unraveled several other corporates in India.

The ransomware group allegedly compromised a large quantum of data containing contracts, personal data, passports, postal correspondence, and financial documents. In support of their claims, the group posted 12 screenshots of the leaked data, and the ticker on the leak site states the deadline of March 10, 2023. After that, the LOCKBIT group threatened to delete IL&FS data from their compromised servers and subsequently leak it as part of their triple-extortion technique to extort their victims.

Figure 1 – Excerpt from LOCKBIT Ransomware Group’s Leak Site Claiming Compromise of IL&FS

Overview of LOCKBIT Ransomware

The LOCKBIT ransomware group has evolved over the years, especially since the LOCKBIT Black or LOCKBIT 3.0 builder was leaked at the end of 2022.

As reported earlier in February 2023, The LOCKBIT ransomware operation has recently progressed to a new version, referred to as “LOCKBIT Green”, the fourth iteration of their ransomware. It uses an encryptor that has been derived from the leaked source code of the Conti ransomware.

In February alone, the ransomware group claimed to have compromised two other Indian conglomerates, SRF Limited, and Mangala Marine Exim India Private Limited.

LOCKBIT has significantly increased its activities since December 2022 and continues to be among the most notorious group in 2023, with 173 organizations succumbing to their attacks in January and February. Major attacks have been targeted against the US entities, followed by the UK and France.

The ransomware group has been targeting several industries across these countries, with most attacks on entities from the Services industry. Healthcare, BFSI, and Government organizations are also among the worst-hit sectors.

Figure 2 – Sectoral Impact of LOCKBIT Ransomware

Analysis of LOCKBIT’s Claims

Cyble Research & Intelligence Labs (CRIL) investigated the 12 samples that were leaked to ascertain the validity of LOCKBIT’s claims, including:

  • Confidential Memorandum of Understanding (MoU) of a Foreign Bank dated May 2021
  • Passport images of three foreign nationals
  • A Tripartite Agreement submitted by IL&FS to an Indian regulatory body in 2010.
  • Income Tax Returns and an excerpt of an Audit report from 2021 of an erstwhile IL&FS subsidiary in IT & ITES business
  • A Hypothecation Deed for Receivables signed by IL&FS with another Indian entity in 2017
  • An Investment Termination Agreement of a few foreign entities from May 2022
  • Another Confidential Memorandum of Understanding was executed to renew services regarding a foreign government project
  • A Confidential Operations & Management Services Agreement involving a foreign company and its Indian subsidiary as a service provider and a foreign investment firm as their customer

Our Recommendations

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: 

Safety Measures Needed to Prevent Ransomware Attacks 

  • Conduct regular backup practices and keep those backups offline or in a separate network. 
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 

Users Should Take the Following Steps After the Ransomware Attack 

  • Detach infected devices on the same network. 
  • Disconnect external storage devices if connected. 
  • Inspect system logs for suspicious events. 

Impact And Cruciality of Ransomware 

  • Loss of valuable data. 
  • Loss of the organization’s reputation and integrity. 
  • Loss of the organization’s sensitive business information. 
  • Disruption in organization operation. 
  • Monetary loss. 

Indicators of Compromise (IoCs)

Indicators Indicator type Description 
LOCKBIT Green Binary
LOCKBIT Green Binary
LOCKBIT Green Binary
LOCKBIT Green Binary


All the findings stated in this document have been verified and reviewed via our Enterprise platform, Cyble Vision and HUMINT. These data points and observations are valid and accurate for the period discussed in the report and publication time. Cyble is not liable for any action(s) taken based on these findings and any ensuing consequences.  

This document is created to share our findings and research with the broader cybersecurity community from an academic and knowledge-sharing standpoint. It is in no way an endorsement of the activities described in the report.  

It is an amalgamation of our collective research on this subject and is not directly promoting our brand, platform, or services. This report can be shared freely for academic or knowledge-sharing purposes, provided that Cyble is mentioned as the source of your findings. 

Comments are closed.

Scroll to Top