According to Recorded Future, Nucleus Software Exports, an Indian company that provides lending software to banks and retail stores, has suffered a major ransomware attack that crippled some of its internal networks and encrypted sensitive business information.

The incident took place last Sunday, on May 30, according to a document the company filed on Tuesday with the Indian National Stock Exchange authority.

In a quarterly report filed on Thursday, NSE said it’s in the process of containing the damage and recovering and restoring impacted systems.

“So far as sensitive data is concerned, we’d like to assure our customers that there is NO financial data of any customer available/stored with us and therefore the question of any leakage or loss of client data does not arise,” the company told Indian financial regulators.

But while an NSE spokesperson has declined to comment on the attack on several occasions, members of the cyber-security community have been able to track down the ransomware strain that was deployed on the company’s network.

The ransomware, identified as BlackCocaine, but more commonly known as EpsilonRed, is among the most recent ransomware strains discovered.

First spotted last month by UK security firm Sophos, the EpsilonRed gang works by targeting unpatched Microsoft Exchange email servers vulnerable to the ProxyLogon exploit, getting a foothold on the vulnerable system, and then deploying a collection of PowerShell scripts to allow it to move internally inside a victim’s network.

In its report, Sophos said the ransomware gang has been successful in at least some of their attacks, discovering payments of $210,000 from previous incidents.

While NSE has not confirmed that the entry point for their breach was an Exchange server nor if it paid the ransom demand, the incident proves that even with tools that Sophos described as “bare-bones,” a ransomware gang was capable of infiltrating a major financial software supplier and hold it for ransom with little effort.

But because the ransomware is still new, its code is not yet top-notch. An Emsisoft malware analyst, which took a look at the BlackCocaine/EpsilonRed sample, recommended that companies to reach out in case of an attack, as there might be ways to recover files under certain conditions.


SpearTip’s certified engineers work diligently to protect partners from ever-evolving threats. Last week, KMOV interviewed our Senior Director of Security Operations, Jonathan Tock, on a new ransomware strain which disrupted the operations of a local governmental institution. In the interview, he gives recommendations for companies looking to strengthen their security posture. He covers the new groups who attacked the local organization, Prometheus and Grief. Again, we’re seeing new strains emerge. To combat these new ransomware operators, our team utilizes our advanced malware analysis tactics to understand the methods and motives of new actors in the threat landscape. Understanding these developments can be difficult for your average employee, so allowing an experienced cybersecurity firm like SpearTip to handle your strategies is a major benefit for the constant protection of your company and relief to those who handle security issues currently.

Our team will continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.