CLOP Ransomware operators hacked Indian conglomerate IndiaBulls Group

Pierluigi Paganini June 23, 2020

CLOP ransomware operators have allegedly hacked IndiaBulls Group, an Indian conglomerate headquartered in Gurgaon, India.

CLOP ransomware operators have allegedly hacked the Indian conglomerate IndiaBulls Group, its primary businesses are housing finance, consumer finance, and wealth management. 

Indiabulls Group has around 19,000 employees, the company has been earning an average revenue of 25,000 crore Indian rupees. The company has three operating divisions: Indiabulls Housing Finance Ltd, Indiabulls Ventures Ltd, and Indiabulls Real Estate Ltd.

The CLOP ransomware operators leaked samples of the data stolen from the company and are threatening to release the overall dump within 24 hours if the victim will not pay the ransom.

“As per now, the leaked data seems to be a warning by the ransomware operators to Indiabulls group to accept their terms within 24 hours. Otherwise, CLOP operators tend to leak a large lot of the company’s confidential data.” reads a post published by threat intelligence firm Cyble.

“The current data leak includes snapshots of highly sensitive bank-related documents of the company such as account transaction details, vouchers, letters sent to bank managers, and much more.”

Researchers at Cyble Research Team have discovered the data leak while monitoring fraudulent activities in the deep and dark web.

Stolen data includes highly sensitive documents of the company, including banking account transaction details, vouchers, and letters sent to bank managers.

Below one of the snapshots leaked by the CLOP ransomware operators as proof of the hack.

According to Cyberintelligence firm Bad Packets, hackers allegedly exploited the CVE-2019-19781 vulnerability in the Citrix Netscaler ADC VPN gateway exposed by Indiabulls.

The CVE-2019-19781 vulnerability affects Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

The issue was discovered in December and could be exploited by attackers to access company networks. In January, Citrix announced then permanent fixes for the above remote code execution vulnerability.

Cyber researchers recommend people to:

  • Never share personal information, including financial information over the phone, email or SMSs
  • Use strong passwords and enforce multi-factor authentication where possible
  • Regularly monitor your financial transaction, if you notice any suspicious transaction, contact your bank immediately.
  • Turn-on automatic software update feature on your computer, mobile and other connected devices where possible and pragmatic
  • Use a reputed anti-virus and internet security software package on your connected devices including PC, Laptop, Mobile

People who are concerned about their exposure in darkweb can register at to ascertain their exposure.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Clop ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment