Cyber Incident Victim: Nucleus Software Exports

On May 30, 2021, Nucleus Software Exports, a prominent Indian provider of lending software to banks and retail stores, suffered a major ransomware attack that disrupted internal networks and encrypted sensitive business information. The company disclosed the incident in a filing with the Indian National Stock Exchange authority two days later on June 1. By June 3, Nucleus Software reported in a quarterly filing that it was actively containing the damage and working to recover and restore affected systems. The company explicitly assured customers and financial regulators that no client financial data was stored on its systems, asserting that leakage or loss of such data was impossible. Despite repeated inquiries, company spokespersons declined to comment on operational specifics of the attack or its investigation.

Security researchers identified the ransomware as BlackCocaine, more commonly known as EpsilonRed—a recently discovered strain first documented by Sophos in April 2021. The EpsilonRed group exploited unpatched Microsoft Exchange servers vulnerable to the ProxyLogon vulnerability to gain initial access, then used PowerShell scripts to move laterally within the network before deploying ransomware. Sophos had previously observed the group successfully extorting at least $210,000 from prior victims. Nucleus Software did not confirm whether its breach originated via an Exchange server vulnerability or whether it paid any ransom demand. The incident demonstrated the operational effectiveness of EpsilonRed’s methods despite Sophos characterizing their tools as “bare-bones.” An Emsisoft malware analyst noted potential file recovery avenues due to imperfections in the ransomware’s code, though Nucleus Software’s restoration efforts remained focused on internal recovery processes without external remediation assistance being publicly acknowledged.