LockBit 3.0, introduced in June of the previous year, marked an organisational expansion, with improved recruiting, retention, and even a bug bounty program for ransomware development
On November 8, the U.S. subsidiary of the Industrial & Commercial Bank of China (ICBC) fell victim to a ransomware attack, raising concerns among security professionals. The attack, attributed to the Russia-linked LockBit ransomware-as-a-service (RaaS) gang, disrupted ICBC’s trading system. Unlike previous ransomware incidents targeting major banks, this attack compromised a critical system rather than a random user device.
Ira Winkler, CISO at CYE, emphasised the significance of criminals accessing a critical system, noting that while major banks face attacks, they often have resilient measures in place. The attack impacted ICBC’s operations, with trades reportedly traveling on a USB stick across Manhattan. ICBC Financial Services took steps to disconnect and isolate affected systems, successfully clearing U.S. Treasury trades executed on November 8 and Repo financing trades on November 9.
Craig Jones, VP of security operations at Ontinue, highlighted the broader impact on the U.S. Treasury market, emphasising the growing trend of cybercriminals targeting large and presumably secure institutions. LockBit, a leading RaaS group, has been active since 2019 and gained prominence with the release of LockBit 2.0 in 2021. Dean Webb, cybersecurity solutions engineer at Merlin Cyber, noted LockBit’s involvement in attacks on various organisations, including Accenture, Thales, and the Port of Lisbon.
“The Chinese attacks are interesting, as Russian hacking groups have in the past refrained from attacking Russian allies,” said Webb. ”It may be that the non-governmental entities in China are now seen as fair game, or the group feels bold enough to no longer toe the line on Russian foreign policy. I’ll speculate that Putin’s weakened leadership in the wake of the Ukraine debacle and the Wagner Group coup attempt from earlier in the year has sent a message to Russian hacker gangs that Putin has his hands full enough with his own problems, he won’t be able to crack down on them.”
LockBit 3.0, introduced in June of the previous year, marked an organisational expansion, with improved recruiting, retention, and even a bug bounty program for ransomware development. The group’s relentless activities have targeted companies worldwide, spanning aerospace, infrastructure, banking, and government sectors. Notably, LockBit has reportedly ransomed close to 2,000 companies in recent years.
Steve Hahn, EVP at BullWall, described LockBit’s modus operandi, emphasising its ability to circumvent prevention technologies and leverage admin credentials to disable security tools and exfiltrate data. Hahn pointed out that even companies investing millions in security are vulnerable to such sophisticated threats.
Amelia Buck, a cybersecurity expert at Menlo Security, highlighted LockBit’s release of 40 gigabytes of stolen data from Boeing, underscoring that no target is off-limits for these cybercriminal groups. The infiltration of ICBC serves as a stark reminder for companies of all sizes to prioritise containment, rapid recovery, and effective response strategies against evolving cyber threats.
