Cyber Incident Victim: Indiabullshousing
Date:
Jun 2020
Location:
India
Summary
Indiabulls Group, a major Indian financial conglomerate, suffered a ransomware attack by the CLOP group, which exfiltrated sensitive data including documents from its pharmaceuticals and housing finance subsidiaries. The attackers leaked file samples and issued a 24-hour ultimatum to prevent further disclosures, consistent with their typical tactic of stealing unencrypted files before deploying ransomware. Vulnerabilities were identified in the organization's infrastructure, including an exposed Citrix Netscaler ADC VPN gateway susceptible to CVE-2019-19781, with intelligence reports indicating prolonged exposure due to unpatched systems. While the exact breach vector remains unconfirmed, the incident reflects CLOP's pattern of targeting high-value entities to extort payments through data leaks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 22, 2020, the CLOP ransomware group publicly claimed responsibility for a cyberattack targeting India’s Indiabulls Group, a diversified financial services conglomerate with subsidiaries in housing finance, pharmaceuticals, real estate, and infrastructure. The attackers leaked screenshots of six stolen files on their 'CL0P^_- LEAKS' data breach site, including a voucher, a letter, and four spreadsheets linked to Indiabulls Pharmaceuticals and Indiabulls Housing Finance Limited. CLOP issued a 24-hour deadline for the company to make contact, threatening further data leaks if ransom demands were not met. The group’s standard operational procedure involved exfiltrating unencrypted files prior to deploying ransomware, leveraging stolen data for extortion. Indiabulls, with $3.5 billion in revenue (2019) and over 19,000 employees, faced potential exposure of sensitive financial and operational documents. The exact date of the initial breach, ransom amount, and whether data was encrypted remained unconfirmed. Cybersecurity firm Bad Packets reported Indiabulls had operated a Citrix Netscaler ADC VPN gateway vulnerable to CVE-2019-19781, a critical flaw allowing remote code execution, though no definitive link to the breach was established. Bad Packets also noted historical exposure due to prolonged use of unpatched servers.
The incident mirrored CLOP’s March 2020 attack on U.S.-based ExecuPharm, where 163GB of data was stolen and later leaked after failed ransom negotiations. Indiabulls did not publicly confirm the attack or disclose response actions, containment measures, or operational impacts. No evidence suggested data encryption occurred, focusing the incident on data theft and extortion. The leaked screenshots implied compromise of subsidiary-specific financial or administrative records, but the full data scope and exfiltration volume were undisclosed. BleepingComputer attempted contact with both CLOP and Indiabulls but received no replies by the article’s publication. The absence of confirmed remediation steps or technical details left the breach’s full consequences unresolved in public reporting.