HDFC AMC: Morpheus Ransomware Breach

HDFC Asset Management Company (HDFC AMC), one of India's largest mutual fund houses, has confirmed a ransomware intrusion attributed to a group calling itself "Morpheus," which claims to have exfiltrated more than 680 GB of sensitive investor and corporate data. The Bombay High Court issued a John Doe order on Friday barring the unidentified attackers from publishing or circulating the stolen information, with the matter listed for further hearing on June 16, 2026.

What Happened

The intrusion was discovered on May 16, 2026, when HDFC AMC's IT administrator detected that portions of the company's on-premises VMware infrastructure had become inaccessible. The disruption rippled across critical operational systems, including VPN gateways, SFTP servers, and antivirus management consoles. Shortly after the disruption, HDFC AMC received an email allegedly sent by the Morpheus group, claiming responsibility for the attack and demanding that the company make contact within 72 hours or face public release of the stolen data. HDFC AMC activated incident response protocols, isolated and shut down affected servers, and notified SEBI, CERT-In, the National Stock Exchange, and the Bombay Stock Exchange. The company then approached the Bombay High Court, where Justice Shreeram Shirsat granted ad-interim relief restraining the attackers from publishing or sharing the data.

What Was Taken

Morpheus claims to have exfiltrated more than 680 GB of data spanning both customer and corporate records. According to HDFC AMC's filing, the dataset allegedly includes:

• Investor names, postal addresses, and contact details (mobile numbers, email addresses)
• PAN (Permanent Account Number) details
• Bank account information
• Investment and transaction records
• Proprietary internal business documents
• Employee records

Given that HDFC AMC manages investments for millions of retail and institutional investors across India, the combination of PAN, KYC, and bank account details represents one of the most sensitive financial datasets a domestic threat actor could weaponize.

Why It Matters

This incident sits at the intersection of three concerning trends. First, India's asset management sector has now been confirmed as a high-value target for financially motivated ransomware crews, joining banks, insurers, and stock exchanges already in the crosshairs. Second, the use of John Doe injunctions as a containment tactic signals that Indian regulated entities are increasingly willing to use civil courts as a fourth pillar of incident response alongside containment, regulatory disclosure, and law enforcement coordination. Third, the data classes allegedly stolen, including PAN numbers tied to bank accounts and investment portfolios, enable downstream identity fraud, SIM swap attacks, and account takeover at scale against Indian retail investors.

The Attack Technique

HDFC AMC has not publicly disclosed the initial access vector, but the available indicators point toward exploitation of the on-premises virtualization stack. The first observed impact was the loss of access to VMware infrastructure, with VPN, SFTP, and antivirus management servers among the affected systems. This pattern is consistent with ransomware operators who target ESXi hypervisors directly, often via stolen or brute-forced administrative credentials, exposed vCenter management interfaces, or unpatched ESXi vulnerabilities that have been heavily exploited over the past two years. The compromise of the antivirus management server before encryption is also notable, as it suggests the attackers established privileged access to security tooling to disable defenses before triggering encryption and exfiltration.

What Organizations Should Do

1. Audit external exposure of VMware vCenter and ESXi management interfaces. Ensure these are never directly reachable from the internet and are segmented behind jump hosts with MFA.
2. Patch ESXi and vCenter aggressively. Known exploited vulnerabilities including OpenSLP and CVE-2024-37085 (ESXi domain group authentication bypass) remain favorite footholds for ransomware affiliates.
3. Protect security tooling as crown jewels. Antivirus, EDR, and backup consoles should require step-up authentication, sit on isolated management VLANs, and emit alerts on configuration changes or agent uninstalls.
4. Enforce phishing-resistant MFA on VPN, SFTP, and any remote administrative entry point. Single-factor or SMS-based MFA on VPN remains a leading initial access vector for ransomware operators targeting Indian enterprises.
5. Validate immutable, offline backup copies for VMware datastores and treat backup restoration as a regularly drilled exercise, not a theoretical capability.
6. Pre-engage outside counsel on John Doe injunction playbooks. Indian regulated entities should have draft pleadings and an identified bench-ready firm so that civil restraint orders can be obtained within hours of an extortion demand, not days.

Sources: HDFC AMC Cyberattack: Bombay HC Restrains Hackers From Publishing Allegedly Stolen Investor Data