Ransomware-Attack-IL&FS

Ransomware Attack on IL&FS

LOCKBIT Ransomware Group Strikes Third Indian Conglomerate in February 2023

LOCKBIT, the most nefarious ransomware group, claimed to have compromised the networks of an Indian investment company, Infrastructure Leasing & Financial Services Limited (IL&FS), on February 28, 2023.

IL&FS was in the news in 2018 for their troubled financial health leading to a grave NBFC financial crisis and liquidity drought that unraveled several other corporates in India.

The ransomware group allegedly compromised a large quantum of data containing contracts, personal data, passports, postal correspondence, and financial documents. In support of their claims, the group posted 12 screenshots of the leaked data, and the ticker on the leak site states the deadline of March 10, 2023. After that, the LOCKBIT group threatened to delete IL&FS data from their compromised servers and subsequently leak it as part of their triple-extortion technique to extort their victims.

Figure 1 – Excerpt from LOCKBIT Ransomware Group’s Leak Site Claiming Compromise of IL&FS

Overview of LOCKBIT Ransomware

The LOCKBIT ransomware group has evolved over the years, especially since the LOCKBIT Black or LOCKBIT 3.0 builder was leaked at the end of 2022.

As reported earlier in February 2023, The LOCKBIT ransomware operation has recently progressed to a new version, referred to as “LOCKBIT Green”, the fourth iteration of their ransomware. It uses an encryptor that has been derived from the leaked source code of the Conti ransomware.

In February alone, the ransomware group claimed to have compromised two other Indian conglomerates, SRF Limited, and Mangala Marine Exim India Private Limited.

LOCKBIT has significantly increased its activities since December 2022 and continues to be among the most notorious group in 2023, with 173 organizations succumbing to their attacks in January and February. Major attacks have been targeted against the US entities, followed by the UK and France.

The ransomware group has been targeting several industries across these countries, with most attacks on entities from the Services industry. Healthcare, BFSI, and Government organizations are also among the worst-hit sectors.

Figure 2 – Sectoral Impact of LOCKBIT Ransomware

Analysis of LOCKBIT’s Claims

Cyble Research & Intelligence Labs (CRIL) investigated the 12 samples that were leaked to ascertain the validity of LOCKBIT’s claims, including:

  • Confidential Memorandum of Understanding (MoU) of a Foreign Bank dated May 2021
  • Passport images of three foreign nationals
  • A Tripartite Agreement submitted by IL&FS to an Indian regulatory body in 2010.
  • Income Tax Returns and an excerpt of an Audit report from 2021 of an erstwhile IL&FS subsidiary in IT & ITES business
  • A Hypothecation Deed for Receivables signed by IL&FS with another Indian entity in 2017
  • An Investment Termination Agreement of a few foreign entities from May 2022
  • Another Confidential Memorandum of Understanding was executed to renew services regarding a foreign government project
  • A Confidential Operations & Management Services Agreement involving a foreign company and its Indian subsidiary as a service provider and a foreign investment firm as their customer

Our Recommendations

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: 

Safety Measures Needed to Prevent Ransomware Attacks 

  • Conduct regular backup practices and keep those backups offline or in a separate network. 
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 

Users Should Take the Following Steps After the Ransomware Attack 

  • Detach infected devices on the same network. 
  • Disconnect external storage devices if connected. 
  • Inspect system logs for suspicious events. 

Impact And Cruciality of Ransomware 

  • Loss of valuable data. 
  • Loss of the organization’s reputation and integrity. 
  • Loss of the organization’s sensitive business information. 
  • Disruption in organization operation. 
  • Monetary loss. 

Indicators of Compromise (IoCs)

Indicators Indicator type Description 
730f72a73ff216d15473d2789818f00c
ca94159bdb17051a6cce8a5deeee89942c9154b9
27b8ee04d9d59da8e07203c0ab1fc671215fb14edb35cb2e3122c1c0df83bff8
MD5 
SHA-1
SHA256  
LOCKBIT Green Binary
aacef4e2151c264dc30963823bd3bb17
9492c378a14e9606157145d49e35a9841383121d
45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315
MD5 
SHA-1
SHA256  
LOCKBIT Green Binary
ea34ac6bf9e8a70bec84e37afeea458a
fd443460ccd1110b0a77385f2f66a38d3f527966
fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3
MD5 
SHA-1
SHA256  
LOCKBIT Green Binary
37355f4fd63e7abd89bdc841ed98229f
a8d46a042e6095d7671dbac2aeff74c7bb5e792a
b3ea0f4f442da3106c0d4f97cf20e244b84d719232ca90b3b7fc6e59e37e1ca1
MD5 
SHA-1
SHA256
LOCKBIT Green Binary

Disclaimer

All the findings stated in this document have been verified and reviewed via our Enterprise platform, Cyble Vision and HUMINT. These data points and observations are valid and accurate for the period discussed in the report and publication time. Cyble is not liable for any action(s) taken based on these findings and any ensuing consequences.  

This document is created to share our findings and research with the broader cybersecurity community from an academic and knowledge-sharing standpoint. It is in no way an endorsement of the activities described in the report.  

It is an amalgamation of our collective research on this subject and is not directly promoting our brand, platform, or services. This report can be shared freely for academic or knowledge-sharing purposes, provided that Cyble is mentioned as the source of your findings. 


Comments are closed.

Scroll to Top