Indiabulls cyber attack led to employees data leaked. Ransomware operators demand ransom. The company insisted that “information being leaked was not sensitive”.
On June 22, 2020 Indiabulls Group was hit with a ransomware attack. Hackers threated Indiabulls to leak sensitive data. CLOP Ransomware operators behind the attack posted screenshots of the files stolen during the cyber attack.
The site states “INDIABULLS CONTACT US IN 24H” threatening that more data would be leaked if the ransom demand is not paid. The demand amount is unknown. According to Cyble, CL0P ransomware demands generally range from $50,000 to over $1 million – it depends on the target and negotiations.
IndiaBull acknowledged the breach. However, the company representative said that information being leaked after the cyber attack was not sensitive.
“It appears that the management underestimated, or was misguided about the impact and responded inaccurately”CYBLE
Cyble commented that Indiabulls’ statement was inaccurate as the breach had occurred several weeks ago, not on Monday. They clarified it takes time from the initial breach to data exfiltration and extortion.
Indiabulls data leak
Six files stolen in the Indiabulls data breach and initially leaked include: a voucher, a letter, and four spreadsheets related to the Indiabulls Pharmaceuticals and Indiabulls Housing Finance Limited subsidiaries.
The ransomware operators are currently leaking the data in parts. Cyble is researching its contents.
On June 24, 2020 the ransomware operators released part 1 of the leaked data and threatened to release part 2 in the next 24 hours. The archive is around 4.75GB).
The part 1 of the leaked Indiabulls files are as follows:
- Aadhar card, voter ID, PAN Card, Passports, Driving License of customers
- Customer loan details along with the property address against which loan has been taken, present address of customers along with their personal email IDs and mobile numbers
- Indiabulls employee data which includes employee name, employee user IDs, official e-mail IDs, operating branch, and mobile numbers
- Private keys and certificates for facilitating ENet services from bank(s)
- Letters sent to banks requesting to open new current accounts along with names of the IndiaBulls account signatories.
On June 26, 2020 the ransomware operators released data leak part 2 of IndiaBulls Group.
On July 01, 2020 The ransomware operators released data leak part 3 of IndiaBulls Group.
Details of the Indiabulls security breach
According to Beeping Computer citing cyberintelligence firm Bad Packets, Indiabulls has an Citrix Netscaler ADC VPN gateway exposed, which is vulnerable to the CVE-2019-19781 vulnerability. Moveover, Indiabulls had run unpatched servers for a long time, leaving its systems exposed to attacks.