Hands typing on keyboard showing ransomware attack on world's largest bank

Ransomware Attack on World’s Largest Bank Suspected to Be the Work of LockBit

Industrial & Commercial Bank of China Ltd. (ICBC) is the world’s largest bank, and inside sources have told the Financial Times and Bloomberg that it is currently grappling with a ransomware attack.

The attack appears to be limited to ICBC’s US unit, which has only a relative handful of branches and loan production units scattered across the country and does not individually crack the top 10 for assets or lending within the nation. The ransomware attack has nevertheless caused some chaos in the US Treasury market, as some transactions have had to be suspended or rerouted due to service outages and the bank has been forced to process Wall Street trades via USB sticks.

World’s largest bank forced to process trades manually in US

Settlement details of trades involving ICBC US are being handled by courier in Manhattan, as the world’s largest bank struggles to recover from a ransomware attack that is being attributed to LockBit.

The bank’s Beijing  headquarters is reportedly meeting with US regulators about the incident, and may call in China’s Ministry of State Security for assistance in protecting its other units. The Securities Industry and Financial Markets Association (SIFMA) also held calls with members about the incident. ICBC is the world’s largest bank by total assets held and edges out US giants JPMorgan Chase and Bank of America in this area, though the US banks are the world’s largest in terms of market capitalization.

A September interim report indicated that the world’s largest bank has recently focused on improving its cybersecurity, citing the rapid growth of online banking and its development of new technologies and services. The targeting of the US branch of the bank may be owed to China’s country-wide ban on cryptocurrency, which essentially prevents an attacker from being paid when it attempts to hold a company to ransom.

ICBC says that business is being conducted as usual at all branches and subsidiaries at present, and that it is currently focusing on minimizing risk impact and losses. Trades and repurchase agreements were slowed temporarily, and some traders report that orders with the world’s largest bank did not clear during the attack window. U.S. Treasury Secretary Janet Yellen said that the attack only “minimally” disrupted the market.

LockBit continues string of high-profile ransomware attacks

A statement from ICBC named LockBit as the culprit, though the hacking group has yet to list the company on its dark web “double extortion” site. It is not unusual for this group to withhold all information about victims until the last minute, however, as it just demonstrated by suddenly dumping the data taken from its October breach of Boeing (which had been given a deadline of November 2 to pay). The group does not appear to release data until it feels that there is no chance at all of further negotiation.

First documented by security researchers in January 2020, LockBit has risen to become one of the world’s most prominent ransomware groups. It is thought to be based in Russia and has attacked targets all over the world, including about 1,700 organizations in the US to date. It is unafraid to go after very high-profile targets and those that might compromise critical infrastructure, as its recent attack on the UK’s Royal Mail demonstrates. It is also one of the few skilled enough to take on the usually advanced cyber defenses of the major players in the financial industry; earlier in the year it breached the UK’s ION Trading, a global derivatives platform.

The ransomware attack on the world’s largest bank may have been more of a case of opportunity than advanced skill, however. Some security researchers have taken to social media to note that a vulnerable ICBC Citrix server was spotted online earlier in the week, visible to scanners that commonly probe the web for such openings. This particular server had not been patched to address the “Citrix Bleed” bug, something that ransomware attacks have been keying in since August of this year. Tracked as CVE-2023-4966, Citrix Bleed has also been implicated in recent attacks on government agencies and legal organizations in multiple countries.

While the financial sector tends to be a tough nut for hackers to crack, industry leaders live in constant fear of a ransomware attack or similar catastrophic disruption on the scale of the Colonial Pipeline or JBS incidents. A recent study from Lloyd’s of London estimated that a severe attack on payment systems with a global cost of at least several trillion dollars was a realistic scenario within the next three decades, and something that both government and private industry should be preparing for.

Jon Miller, CEO & Co-founder of Halcyon, notes that the most skilled and dangerous criminal groups should be expected to continue to aim high regardless of how much they antagonize governments: “Critical infrastructure providers like the financial, manufacturing, healthcare and energy sectors remain top targets for ransomware operators because the pressure to quickly resolve the attacks and resume operations increases the chances victim organizations will pay the ransom demand. Ransomware is a multi-billion dollar business that rivals and even exceeds many legitimate market segments.”

“There is no limit to the disruptive power and financial impact of ransomware attacks. New RaaS groups emerge all the time, introducing new tactics, techniques, and procedures, including automation of aspects of the attacks – like exploiting vulnerable software like MOVEit and GoAnywhere – and custom tooling for more efficient data exfiltration,” added Miller. “Given the fact that a determined attacker with the enough time and resources is all but guaranteed to eventually be successful in their attacks means that orgs also need to take measures to be truly resilient and recover from an attack as quickly as possible.”

Ransomware attacks are resurgent at the moment, on pace to have a record-breaking year once 2023 is concluded. Various studies have found that ransomware attacks are up nearly 100% from 2022’s numbers and that about $500 million in payments have been made through the first half of the year, with the holiday season about to kick off and potentially push the year’s grand total above the record $765 million recorded in 2020 and 2021. Regardless of the final total, payment numbers are already triple those logged in 2019 and over 10x higher than in any years prior to that.

Jim Doggett, CISO at Semperis, provides some insider advice for highly targeted organizations: “I speak to companies regularly that don’t believe they are in the crosshairs of ransomware threat actors, but they are. To better prepare for the inevitable attack, organizations should regularly review business risk, including the impact ransomware could have on their business. Even if a company reviewed business risks in October, do it again because something that wasn’t obvious then, might be now. And learn to prioritize. If ransomware is a greater risk than another threat, prioritize ransomware. This sounds easy but it required fortitude to help senior management understand this approach. In addition, eliminate single points of failure and have contingencies in place if their business becomes disrupted. There’s no silver bullet that will solve the cybersecurity challenges facing most organizations.”

“Companies should also identify the critical services that are “single points of failure” for the business. If critical services go down, the business stops. Have a plan for “what to do if.” This doesn’t have to be perfect but think now about what to do if email goes away or a customer portal or CRM tool gets locked. And practice makes perfect (or at least better) so test your plans before it’s for real. There’s no perfect solution, but managers will be more creative when there isn’t adrenaline pumping. Know that any thought given to it on what the company will do is an advantage. And keep in mind that Active Directory environments are the most vulnerable entry points and one of the most negatively impactful attacks; hackers frequently target these environments, making it imperative that organizations have real time visibility to changes to elevated network accounts and groups,” added Doggett.