Hackers dump trove of IndiaBulls data as first ransom deadline ends
Ransom-seeking cyber criminals dumped a trove of sensitive data stolen from IndiaBulls Group, releasing close to 5 gigabytes (GB) of files containing customer identity documents, financial transaction statements and employee details in an ostensible attempt to make the company pay up, a private cybersecurity agency tracking the development said on Wednesday.
The data dump came at the end of a 24-hour deadline and was followed by a threat to leak another tranche of sensitive information, Singapore-based Cyble said, identifying the alleged hackers as a group deploying what is known as the CL0P ransomware.
The leak included scans of customers’ KYC (know your customer) documents such Aadhaar cards, voter ID, PAN cards and passports, employees’ official ID details and phone numbers, and private keys and certificates that can enable access to the IndiaBulls Group banks’ digital services, a Cyble representative told HT over email.
An IndiaBull representative acknowledged a breach on Tuesday, saying the group was informed of an attack on its “peripheral” systems on Monday and that information being leaked was not sensitive. On Wednesday, when asked about the trove released by hackers, the person said the company did not have anything more to add for now.
“Their statement is inaccurate as the breach occurred several weeks ago, not on Monday. As you would imagine, it takes time from the initial breach to data exfiltration and extortion. It appears that the management underestimated, or was misguided about the impact and responded inaccurately,” the Cyble spokesperson said.
A ransomware attack – which involves making a target’s files inaccessible by encrypting them -- is carried out almost always by cyber criminals with a money motive as compared to nation-state hackers who often target privileged access or disruption of an adversary’s systems.
In this instance, the hackers encrypted the files using the CL0P ransomware.
“CL0P ransomware demands generally range from $50,000 to over $1 million – it depends on the target and negotiations,” said the Cyble spokesperson, adding that the agency was not aware of the exact ransom amount in this case.
Gurugram-headquartered IndiaBulls Group has several subsidiaries that offer financial services, including housing finance and consumer loans. On its website, the group says it “has a net worth of more than ₹ 28,580 Cr. (as on 31st March, 2019)”.
It was not immediately clear how the company’s systems were breached, but Cyble, in its initial report on Tuesday, noted that the company was found to have vulnerabilities in its virtual private network (VPN) system. The exact method of the hack which would have allowed the ransomware to be installed was yet to be determined.
(With inputs from Rajeev Jayaswal)