Indiabulls Group, a well-established financial services company in India has allegedly been hit with a cyberattack by CLOP ransomware group who are threatening to sell the stolen confidential data of the company on a hacking forum/s.
Yesterday, researchers at the data breach monitoring firm Cyble said “the data leak includes snapshots of highly sensitive bank-related documents of the company such as account transaction details, vouchers, letters sent to bank managers, and much more”.
CLOP ransomware group is similar to the other ransomware operators such as of Maze and Revil, threat actors known to steal unencrypted files before deploying the ransomware.
Some public reports state that the CLOP operators are associated with the Evil Corp / TA505 which is a well-known threat actor for targeting the financial sector since 2014.
The CLOP threat actors have uploaded screenshots of the stolen documents on their data leak site “CL0P^_- LEAKS” with a threat that more data will be leaked if their ransom demand of an unknown amount is not met.
“Yesterday, our digital risk monitoring service provider, CloudSec, informed us that there has been an attempt to penetrate our peripheral systems. The information being leaked by these threat actors is not sensitive in nature. All data and information pertaining to our customers is safe and securely placed. We have successfully restored all the affected systems through our encrypted data back-up storage. Each and every system is functioning and operating normally,” an Indiabulls spokesperson said.
“Presently, we are analyzing the incident through cyber footprints to restrict future occurrences. We have already put in place stringent and rigid access management controls considering cybersecurity in the backdrop of the ongoing COVID-19 pandemic, and have implemented world class IT infrastructure tools and technologies to ensure cyber resilience and provide a robust business framework. We have been keeping our users updated through cyber security advisories at all levels at frequent intervals,” the company spokesperson further added.
The cyberattack is believed to be performed by the CLOP operators by exploiting an unpatched vulnerability (CVE-2019-19781) present in the company’s Citrix Netscaler ADC VPN gateway.
Though, there is no confirmation if this is how CLOP operators breached the Indiabulls’ network and obtained their data.
Back in March 2020, the CLOP ransomware group have breached the UK-based logistics company named EV Cargo Logistics and a pharmaceutical company ExecuPharm where they stole 163GB of unencrypted data.