Cyber Incident Victim: Kendriya Vidyalaya
Date:
May 2021
Location:
India
Summary
The Arvin Club ransomware group compromised a chain of central government schools in India, exposing personally identifiable information of students. The group maintained Telegram channels and an Onion website to disseminate breach details but did not deploy encryption-based ransomware or demand extortion, instead focusing on data exfiltration and public leaks. Their activities included showcasing affiliations with other threat actors like REvil while denying alleged ties to state-sponsored entities, distinguishing their operations from conventional ransomware tactics through unconventional data publication methods.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Arvin Club cyber incident involving Kendriya Vidyalaya, a chain of central government schools in India, occurred prior to May 2021, with the group publicly disclosing student Personally Identifiable Information (PII) through their official TOR website. Arvin Club maintained an active online presence through multiple Telegram channels and their Onion site, which listed victim organizations and breach dates, though the group did not claim direct responsibility for most listed entities. Their Telegram channels, including one official channel with 3,000 subscribers, served as hubs for discussions among threat actors with moderate to high reputations in cybercrime forums, with Persian being the primary language of communication. The group’s TOR site, operational since at least May 5, 2021, functioned as a platform to publish breach details, including the Kendriya Vidyalaya data leak, though forensic evidence suggested Arvin Club did not deploy ransomware encryption or extortion demands against the school. CloudSEK’s analysis indicated the group focused on data exfiltration and public disclosure rather than file encryption, aligning with groups like Bonaci that prioritize data leaks over ransomware deployment.
The breach exposed student PII but lacked the financial extortion tactics typical of ransomware operations, with no evidence of file-locking malware or ransom negotiations. Impact analysis revealed Arvin Club’s operation relied on publicity through their TOR site and Telegram channels, where they also shared commentary on global cyber incidents, including a meme mocking the FBI’s takedown of the REvil group. Investigations found no ransomware samples or dedicated file-unlocking tools associated with the group, distinguishing their activities from conventional ransomware campaigns. The group publicly denied alleged ties to the Iranian government in July 2021 following external accusations. Third-party threat intelligence platforms like Hack Notice cautiously attributed breaches to Arvin Club using qualifiers such as “as reported by” rather than confirming their direct involvement. The incident’s technical footprint suggested opportunistic data exposure rather than targeted disruption, with no documented containment or remediation actions by the attackers beyond initial data publication.