Cyber Incident Victim: Aarti Drugs
Date:
Sep 2022
Location:
India
Summary
A pharmaceutical company suffered a ransomware attack by the BianLian group, resulting in the theft and subsequent dark web leak of approximately 6 GB of sensitive data including employee records, financial documents, tax filings, and research information. The attackers demanded a ransom of 20 Bitcoin (equivalent to roughly ₹15.8 lakh) for decryption keys, though negotiations failed and partial data was publicly released. The BianLian ransomware leverages Go programming language for efficient payload deployment and evasion, primarily exploiting Remote Desktop Protocol vulnerabilities. This incident reflects broader cybersecurity challenges in the pharmaceutical sector, where critical vulnerabilities often remain unpatched despite security audits.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Aarti Drugs Ltd., a major Indian pharmaceutical company, experienced a ransomware attack on September 9, 2022. The BianLian ransomware group infiltrated the company's systems, exfiltrating approximately 6 GB of sensitive data before encrypting files and demanding payment. The stolen data included business and administrative records such as loan documents, tax filings, employee records (including passport copies and insurance documents), formulation and research data, and financial and audit reports. The attackers demanded 20 Bitcoin (equivalent to approximately ₹15.8 lakh at the time) in exchange for the decryption key. When ransom negotiations failed, the BianLian group leaked the stolen data on their dark web site, making sensitive corporate and employee information publicly accessible. This breach occurred just one day before another major Indian pharmaceutical firm, Ipca Laboratories, was targeted in a separate ransomware attack by the RansomHouse group, though the two incidents appear unrelated beyond their temporal proximity and shared industry sector.
The BianLian ransomware used in the attack was coded in the Go programming language, which enabled threat actors to deploy smaller payloads and evade detection more effectively. The group primarily exploited vulnerabilities in Remote Desktop Protocol (RDP) systems to gain initial access. Analysis by cybersecurity firm Technisanct confirmed the exposure of critical business operations data and personally identifiable employee information. This incident occurred within a broader pattern of at least nine cyberattacks targeting Indian pharmaceutical companies since 2021, with industry experts noting the absence of sector-specific cybersecurity regulations comparable to the RBI's standards for banking and financial services. Nandakishore Harikumar of Technisanct observed that many pharmaceutical organizations conducted security audits but consistently failed to implement vulnerability patches, leaving systemic weaknesses unaddressed. The data leak exposed the company to potential financial fraud, intellectual property theft, and regulatory compliance risks, while compromised employee documents increased individuals' exposure to identity theft.