The newbie ransomware group dubbed ‘Bully Gang’ has targeted the Indian insurance regulatory body Insurance Regulatory Development Authority of India (IRDAI). A post on the threat actor’s Telegram channel, seen by The Cyber Express, claimed to steal confidential information about the IRDAI.

The Cyber Express accessed the Cyble Research and Intelligence Labs’ (CRIL) customer advisory, issued after checking and verifying the data leaked. Apart from confidential IRDAI information, the data dump had personal identifiable information, employers’ list and financial documents of insurance companies.
According to the Indian data disclosure law, an organization facing a cyber incident has to report it to the Indian Computer Emergency Response Team (CERT-In) within six hours of discovery.
A source at CERT-In has confirmed that IRDA is in touch with the cybersecurity watchdog over the incident. A request for comment sent to FIN-CERT, the financial incident division of CERT, is pending at the time of publication. Attempts to contact the IRDAI headquarters at Hyderabad were unsuccessful.
Ransomware Attack
On November 3, 2022, the ransomware group that calls itself the ‘Bully Gang’ announced targeting the insurance regulatory body on their telegram channel. The gang claimed to steal confidential IRDAI information and offered to sell the data of over 500 GB.
According to the Cyble advisory, the Bully Ransomware Group established their Telegram channel on September 6, 2022, and joined the dark web data marketplace BreachForums under the moniker Bully_Support on September 10, 2022.
“Bully Gang ransomware group ascertained their claims by posting a screenshot of the compromised data. From it, we perceive an internal portal of IRDAI – irdaonline.org could have been compromised,” said the Cyble threat advisory.
“As per open-source documents of the IRDAI, this is an internal portal of IRDAI for allowing the Corporate Agents to register, login, upload their documents, and generate their Certificate of Registration (CoR).”
Unconfirmed tweets circulated earlier indicated that the leak was from an unsecured server. That was not the case, Cyble lead Research Analyst Amit Lokhande told The Cyber Express. “From the data set, it does not appear to be from an unsecured database. This dataset is heterogenous with several filetypes and structures,” he said.
He declined to answer whether the company worked with IRDAI to address the issue, citing confidentiality reasons.