- The ICBC hack is the latest in a string of cyberattacks by the LockBit ransomware group.
- The LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model.
- ICBC apparently paid a ransom to get access back to its systems.
It seems like a cyberattack by LockBit is inevitable for organizations today. The ransomware group, which has ties to Russia, continues to wreak havoc on businesses all over the world.
In 2023 alone, the LockBit ransomware group has already hacked ION Trading UK and the Royal Mail as well as airline manufacturer Boeing. But its latest victim may just be its biggest target to date and also one that belongs to the most regulated industry in the world.
According to reports, the US unit of the Industrial and Commercial Bank of China (ICBC), which also happens to be the world’s largest bank by assets, has fallen victim to a ransomware attack by LockBit. The hack apparently disrupted some of the bank’s systems, including its ability to clear trades in the US Treasury market.
“ICBC Financial Services (FS) experienced a ransomware attack that resulted in disruption to certain FS systems. Immediately upon discovering the incident, ICBC FS disconnected and isolated impacted systems to contain the incident. ICBC FS has been conducting a thorough investigation and is progressing its recovery efforts with the support of its professional team of information security experts” ICBC wrote on its website.
As ICBC acts as a broker for hedge funds and other market participants, the disruption of services would be catastrophic to the industry. As such, the bank had to switch to manual processes, such as sending settlement details to other parties by a messenger on a USB stick. The ransomware group has also caused liquidity problems in the Treasury market. Market-makers, brokerages and banks had to reroute their trades due to the cyberattack.
ICBC employees could not even access or use their corporate emails, with reports claiming employees had to switch to Gmail to ensure business continuity. At the same time, the bank’s parent company in China had to inject capital into the US unit to help it pay back US$9 billion to BNY Mellon, the sole settlement agent for the Treasuries, for unsettled trades that resulted from the hack.
Meanwhile, Reuters reported US Treasury Secretary Janet Yellen saying that the ransomware attack that disrupted China’s largest bank had not interfered with the market for US government debt.
“We have been working very closely with the Chinese, with the firm, and with regulators in the United States, with the federal government, the FBI and cybersecurity officials,” she said, adding that the incident is an example of why top economic officials in the two countries need to maintain close communications.
“This is a situation where it’s critical to be able to pick up the phone and know that you will have a good response on the other end and that we can trust one another to work together and cooperate,” Yellen said at a press conference after wrapping up two days of meetings with her Chinese counterpart in San Francisco.
“The Treasury Department and the United States have given as much assistance as we possibly can to the firm in dealing with this issue,” she added.
Another successful cyberattack for LockBit
The ICBC hack is the latest in a string of cyberattacks by the LockBit ransomware group. The Cybersecurity and Infrastructure Security Agency (CISA) records that since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.
As the LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model, affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. CISA also highlighted that due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures.
In fact, the LockBit ransomware group can be considered the most well-organized cybercriminal group in the world. Not only does it have a network of hackers, but it also has an administrative team to communicate and negotiate with victims on ransom payments.
In the US alone, the FBI says that LockBit has been involved in around 1,700 cyberattacks. The CISA also reported that approximately US$91M in ransomware has been paid since LockBit activity was first observed in the US in January 2020.
Did ICBC pay the ransom?
While law enforcement agencies continue to advise victims to not pay ransoms for cyberattacks, Reuters reported that ICBC has paid a ransom to get acces to its systems back. However, the media agency stated that they were unable to independently verify the statement they received.
“They paid a ransom, deal closed,” the Lockbit representative told Reuters via Tox, an online messaging app.
Should this be the case, ICBC becomes the latest company to give in to ransomware demands. Most cybersecurity agencies would also not agree to pay the ransomware note but given the severity of the case, ICBC may not have been left with many options. Whether the ICBC hack has resulted in a successful ransom payment or not, Lockbit is likely to be moving on to fresh targets.
Weeks earlier, Boeing was also a victim of the LockBit ransomware group. Bleeping Computer reported that LockBit had leaked more than 43GB of files from Boeing after the company refused to pay a ransom. Most of the data listed on the hacker group’s leak site are backups for various systems, the most recent of them with an October 22 timestamp. Among the files are configuration backups for IT management software, and logs for monitoring and auditing tools.
Prior to this, two casinos in Las Vegas, MGM and Caesar’s Palace, also suffered a ransomware attack. MGM refused to pay the ransom, which not only resulted in the casino’s systems going offline but also affected its bookings and resort operations. Reports claimed that MGM ended up with losses of around US$100 million. On the other hand, Caesar’s Palace reportedly paid a few million in ransom to get access to its systems returned.