US Federal Reserve Bank in New York City showing LockBit claim of stolen data

LockBit’s Claimed Hack on US Federal Reserve Turns Out to Be a Publicity Stunt; Stolen Data Came From Just One US Bank

The ransomware group LockBit put itself in the international headlines once again last week when it boldly claimed to have stolen 33 TB of data from the US Federal Reserve, something that could pose a dire threat to the entire banking system. But work by independent security researchers has determined the whole thing is malarkey. LockBit’s sample of stolen data turns out to have come from just one US bank, and it is one that has recently been scrutinized by the Fed for its deficient risk management and compliance policies.

After police raid, LockBit increasingly turns to brazen stunts to revive client interest

Ever since an international law enforcement raid in February that dealt a heavy blow to LockBit’s operation, followed up by the identification of Russian national Dimitry Yuryevich Khoroshev as lead developer and operator “LockBitSupp” in May, security researchers have noted that the group’s data leak site has had an uncharacteristic amount of exaggerated or fake information. Previously a giant of the ransomware-as-a-service (Raas) world, LockBit had enough regular and legitimate business in stolen data that it did not bother pulling stunts like this.

The group appears to be desperate to retain its client base, culminating in this fake attack on the US Federal Reserve that seems to have been a ploy to get into the news. What actually happened is that LockBit hit US-based Evolve Bank & Trust, a hybrid fintech operation that has a limited amount of physical locations in the states of Arkansas and Tennessee. Evolve has confirmed that it was breached, and the stolen data appears to entirely come from this breach.

A breach on the US Federal Reserve involving 33 TB of stolen data would have indeed sent devastating shock waves throughout the whole of the country’s banking system, with likely serious ripple effects for many other countries. LockBit knew such a bold claim would immediately break them out of the usual bubble of cybersecurity news and capture mainstream attention, and the group played up the situation for several days by claiming a negotiator had offered $50,000 USD as a ransom and demanding that a new one be appointed.

Throughout all of this, the US Federal Reserve never confirmed a breach or issued any public statement on the matter. Numerous independent security researchers began sifting through the samples of stolen data that LockBit began leaking, and quickly came to the conclusion that it all came from Evolve. Evolve has since confirmed that it is dealing with a data breach, and that it has lost customer data to threat actors which has since been posted on the dark web.

US Federal Reserve appears safe, but stolen data is new and legitimate

While the stolen data may have nothing to do with the US Federal Reserve, it does appear to contain previously unseen material. Evolve has not yet mentioned LockBit, but has confirmed that customer information has appeared on the dark web as a result of its recent breach.

Evolve has been struggling with regulatory issues since at least 2023, of the sort that might contribute to a weak cybersecurity posture. The company was recently served with a cease-and-desist order from the US Federal Reserve Board after discovery of a number of deficiencies in its risk management, consumer compliance, and anti-money laundering programs. The Board characterized the brick-and-mortar bank’s partnership with online fintechs as “unsafe and unsound” due to a lack of effective risk management frameworks, and indicated that it was out of compliance with AML laws. The order requires the bank to improve these aspects and implement an internal audit program by mid-August, and in the meantime cannot create any new partnerships with fintech services without seeking approval.

While the “doomsday scenario” of US Federal Reserve secrets being leaked seems to have been averted, Evolve customers are left to deal with their stolen data being leaked to the dark web. Evolve has said that it has contacted impacted customers with an offer of free credit monitoring with identity protection service, and to change account numbers “if warranted.”

LockBit has been one of the world’s largest and most damaging RaaS outfits, enjoying what has been a run of nearly five years now and racking up over 2,500 victims and $500 million in ransom payments. But the one-two punch of February’s “Operation Cronos” and the outing of its leader, for whom the US government is offering a $10 million bounty for information leading to his arrest, may spell the end for the group. If extradited to the US, “LockBitSupp” faces a maximum of 185 years in prison on fraud, extortion and damage to protected computers.

Itay Glick, VP of Products at OPSWAT, cautions that LockBit is not done for yet and that more financial firms may still be in its crosshairs: “In May 2024 alone, LockBit claimed responsibility for over 150 out of the 450 ransomware attacks reported, highlighting its aggressive activity despite law enforcement efforts to disrupt it earlier in the year. Known targets include Saint Anthony Hospital in Chicago, Manchester Fertility Services in the UK, Grimme in Denmark, Portline Transportes Maritimos Internacionales in Portugal, and Semesco in Cyprus, illustrating LockBit’s reach across various sectors. These attacks demonstrate LockBit’s ongoing threat to diverse industries worldwide. If we look at these facts, they are credible and definitely have the capabilities. To mitigate these threats, financial institutions must strengthen their cybersecurity measures. This includes implementing email security solutions to defend against phishing and other email-based attacks, which are common entry points for ransomware. Additionally, using advanced threat protection capable of defending against zero-day and unknown malware is crucial. Furthermore, it is recommended to segregate the operational network of financial institutions where possible. This can help prevent data leakage and limit the impact of any potential breach.”

Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ, agrees that the financial field should be wary of the hackers making one last sprint for money while they still can: “It remains uncertain whether there is more to come from LockBit. That said, organizations in the financial industry must prioritize proactive defense, with a strong focus on threat detection and response. By utilizing LockBit’s common tactics, techniques, and procedures (TTPs), organizations can test their systems response to identify and address any vulnerabilities before they can be exploited.”