Is Indiabulls Group going to pay CLOP ransomware? We’ll see

by Gabriel E. Hall - - 2020-06-24

Indiabulls Group is given 24 hours to pay a ransom for the variant of CryptoMix ransomware known as CLOP

Indiabulls Group hit by ransomware Clop Criminals exploited the vulnerability of the Indiabulls Group servers to initiate a Clop ransomware attack

The Indian conglomerate Indiabulls Group headquarter in Gurgaon has been hit by CLOP ransomware virus earlier this month, cybersecurity firm Cybel^[1] reported. The criminals behind the virus threaten the victim to expose the stolen data publicly unless the group refuses to pay the ransom within 24 hours.

To prove the reality of the attack, criminals have uploaded the six screenshots to the 'CL0P^_- LEAKS' site^[2]. Upon the investigation, experts claim that the exposed data is extremely sensitive. Banking documents, transaction details, vouchers, conversations with banking institutions, and other finance-related details have been exposed.

However, experts are still under investigation of the alleged attack, so it's not yet clear whether it was really initiated. Nonetheless, Bad Packets^[3] experts claim to have found a technical vulnerability in the Indiabulls server. Criminals exploited the Citrix Netscaler ADC VPN gateway, which turns out to be vulnerable for the CVE-2019-19781^[4] vulnerability.

Apart from the six leaked files on the leak Clop ransomware site, there are no other specificities know, except that the authorities of the Indiabulls conglomerate are expected to pay the ransom within 24 hours. Otherwise, criminals promise to expose more leaked data related to the Pharmaceuticals and Indiabulls Housing Finance Limited subsidiaries.

Clop follows the trend – failed ransom attempt ends up with credentials exposed on a leak site

With Maze being an initiator of the leak site, other ransomware families followed the example and launched suchlike sites to blackmail the victims and induce them to pay. Sodinokibi/REvil, Nemty, and DoppelPaymer were the first followers. Nefilim, Sekhmet, and Clop have also started following the trend. Newly released leak sites have already been filled with victims' credentials.

On March 13, the ExecuPharm^[5] pharmaceuticals have been hit by Clop ransomware. Hackers managed to infiltrate the company's servers and lock 163 GB of data. The negotiation between the criminals and ExecuPharm delegates ended up in data exposure. Criminals behind Clop exposed thousands of emails, accounting information, financial records, backups, and other highly-sensitive information as proof of an attack.

In contrast, Maastricht University^[6], which has been hit by the same file-encrypting virus earlier this year has already paid 30 Bitcoins for criminals in exchange for data recovery software.

The current CLOP ransomware attack over the Indiabulls Group hasn't yet been confirmed. However, based on the previous performances of this ransomware, criminals are not very likely to be bluffing.

CLOP ransomware – a variant of CryptoMix that is known for terminating crucial processes on the affected machine

The CLOP ransomware has been first found in February 2019 as a new strain of well-known ransomware family dubbed as CryptoMix^[7]. While initially, it did not exhibit unusual traits, its developers changed its behavior significantly and the ransomware became rather difficult to predict.

Clop ransomware stands out from the crowd due to the capability of killing processes that belong to Windows 10 software, IDEs, languages, Microsoft Office applications, Microsoft Exchange, SQL Server, MySQL, BackupExec, etc. At the moment, it is capable of terminating 663 Windows processes before running a file encryption algorithm. While such behavior is not uncommon, the number of processes killed by CLOP is extraordinary and experts cannot understand for what purpose some of these processes are targeted.

Upon launching the process killer, the ransomware unravels the encryption process. It uses two file extensions to mark locked files, i.e. .Clop or .Cl0p. Besides, victims get the ClopReadMe.txt ransom note, which demands to write an email to the servicedigilogos@protonmail.com, managersmaers@tutanota.com, unlock@goldenbay.su, or unlock@graylegion.su emails to get further ransom payment instructions.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Cyble vision. Cyble. Official website of the cybersecurity firm.
^ Clop Ransomware Also Follows the Trend - Leaks Data After Failed Ransom Attempt. Cyware. Cybersecurity labs.
^ Cybersecurity threats are constantly evolving, making it more important than ever to identify them quickly in order to minimize the impact to your organization.. Bad Packets. Cybersecurity experts.
^ Ryan Seguin. CVE-2019-19781: Unauthenticated Remote Code Execution Vulnerability in Citrix ADCs and Gateways. Tenable. Cyber exposure company.
^ Zack Whittaker. Hackers publish ExecuPharm internal data after ransomware attack. Tech Crunch. Technology-related news site.
^ Janene Pieters. MAASTRICHT UNIV. PAID €250K TO RANSOMWARE HACKERS: REPORT. NLtimes. News site.
^ Jake Doevan. CryptoMix ransomware. 2-spyware. Virus and spyware news.