LockBit Gang Claims China Bank Paid Ransom

China’s Industrial and Commercial Bank (ICBC), the world’s biggest lender by assets, has reportedly paid a ransom to unlock its systems after being hit by the Russia-backed LockBit ransom-as-a-service gang late last week.

"They paid a ransom, deal closed," a LockBit representative told Reuters via Tox, an online messaging app. The news service said it has not been able to independently confirm the ransom nor the amount of payment.

LockBit's Tactics, Market Disruption

The strike on ICBC by the LockBit 3.0 malware reportedly disrupted trades in the U.S. Treasury market on November 9, 2023. The outage at ICBC's U.S. broker-dealer left it temporarily owing $9 billion to BNY Mellon BK.N, Reuters reported.

The ICBC Financial Services unit for the U.S. said it was investigating the attack that disrupted some of its systems, and making progress toward recovering from it, according to the Reuters report.

LockBit is among the most notorious of ransom operatives. Now in its third decade, the LockBit malware is still more modular and evasive than its predecessors, with the gang making its money by stealing and releasing data unless a ransom is paid.

As an example, last month LockBit said they had obtained "a tremendous amount" of sensitive data from Boeing's parts and distribution units and would dump it online if the aerospace giant didn't pay a ransom by November 2.

When Boeing apparently declined to pay ransom, LockBit on November 10 published 50GB of information it allegedly stole from Boeing after days of adding and removing the company from its leak site. The gang made several unverified claims that it was negotiating a ransom with after talks fell apart, Recorded Future reported.

Big fish ransomware attacks rather than smaller scattered hits have taken favor with cyber gangs. For example, Caesars is said to have paid a $15 million ransom when hit by the Scattered Spider, a Black Cat affiliate in September. In the tandem attack on MGM, the attackers reportedly did not make a ransom demand until well after the strike, prompting the resort giant to deny payment because it had already begun to repair the damage.

To Pay or Not to Pay Ransom

Governments worldwide are beginning to make a collective stand against ransomware gangs. Earlier this month, a U.S.-led international alliance of at least 40 countries vowed not to pay ransoms to cyber hijackers, lining up with efforts by some private industry to push back on hackers’ demands to unlock their systems.

As cyberattackers have stepped up their funding tactics by threatening so-called double extortion, not only by freezing systems and networks but also by posting stolen confidential data on the dark web. Accordingly, the call for a counteroffensive by government entities has become more determined. The pledge does not extend to private industry, officials said.

"As long as there is money flowing to ransomware criminals, this is a problem that will continue to grow," Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies told reporters.

1700 U.S. Organizations Impacted

According to data compiled by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), LockBit has hit some 1,700 organizations in the U.S. since its inception. It was first observed in January, 2020, and has extorted roughly $100 million so far.

Two months ago, cybersecurity specialist eSentire warned service providers and public sector and private industry to batten down their remote monitoring and management tools (RMM), as LockBit has been using the technology to spread their malware.

In a blog post, the managed detection and response provider (MDR) is urging managed service providers (MSPs), managed security service providers (MSSPs), IT consultants and private sector organizations to steel themselves for a possible LockBit attack.

eSentire said that in recent months LockBit has attacked an MSP and two manufacturers and have hijacked the targets’ RMM tools or brought their own to spread ransomware to the MSP’s downstream customers and across the manufacturers’ networks. Two incidents occurred between February 2023 and June 2023, and a third attack took place in February 2022.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.