17.6 C
New York
Saturday, May 18, 2024

Ransomware Attack Disrupts ICBC’s US Arm, Raises Concerns in the Financial Sector

The Industrial and Commercial Bank of China’s US arm was hit by a ransomware attack that disrupted trades in the US Treasury market on Thursday



In a concerning development, the US arm of the Industrial and Commercial Bank of China (ICBC) fell victim to a ransomware attack, disrupting trades in the US Treasury market. This incident is the latest in a string of attacks orchestrated by ransom-demanding hackers, casting a spotlight on the ever-growing threat of cybercrime.

ICBC Financial Services, the US subsidiary of China’s largest commercial lender, reported that it is actively investigating the attack, and progress is being made towards restoring its systems. China’s foreign ministry issued a statement, assuring that ICBC is working diligently to minimize the impact and losses resulting from the attack.

According to the ministry spokesperson Wang Wenbin, ICBC’s head office and its branches and subsidiaries worldwide have not experienced any disruption in their operations. The bank is making efforts to ensure business continuity in the face of this cyberattack.

Ransomware attacks, such as the one targeting ICBC, involve hackers encrypting a victim’s systems and demanding payment in exchange for the decryption key. These attacks often involve the theft of sensitive data, which can be used for extortion or sold on the dark web.

Allan Liska, a ransomware expert at cybersecurity company Recorded Future, remarked that it is unusual to see a large financial institution like ICBC being hit with such a disruptive ransomware attack. Liska also shares the belief that LockBit is behind the attack. He points out that ransomware groups may not publicly disclose their victims while negotiations are ongoing.

“This attack continues a trend of increasing brazenness by ransomware groups,” Liska notes. “With no fear of repercussions, ransomware groups feel no target is off limits.”

The United States authorities have been grappling with the challenge of curbing cybercrime, particularly ransomware attacks, which affect hundreds of companies across various industries each year. Recent efforts have focused on disrupting the funding routes of ransomware gangs by enhancing information sharing among a 40-country alliance.

What is LockBit 3.0 China's Bank Hacked

LockBit is a new ransomware attack in a long line of extortion cyberattacks. Formerly known as “ABCD” ransomware, it has since grown into a unique threat within the scope of these extortion tools. LockBit is a subclass of ransomware known as a ‘crypto virus’ due to forming its ransom requests around financial payment in exchange for decryption. It focuses mostly on enterprises and government organizations rather than individuals.

Attacks using LockBit originally began in September 2019, when it was dubbed the “.abcd virus.” The moniker was in reference to the file extension name used when encrypting a victim’s files. Notable past targets include organizations in the United States, China, India, Indonesia, Ukraine. Additionally, various countries throughout Europe (France, UK, Germany) have seen attacks.

LockBit 3.0 is a type of ransomware. Ransomware is malicious software that encrypts a victim’s files and demands a ransom to provide the decryption key necessary to unlock the files. In the case of LockBit 3.0, it operates as a Ransomware-as-a-Service (RaaS) model, meaning that cybercriminals can use it to carry out ransomware attacks, and the developers of LockBit 3.0 may provide the tools and infrastructure needed for these attacks.

China's Bank Hacked

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released joint cyber security Advisory (CSA) to disseminate LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.

According to the CSA, The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs, and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.

It’s characteristics 

1. Modularity and Evasiveness

LockBit 3.0, also known as “LockBit Black,” is described as more modular and evasive compared to its previous versions. This means it has a flexible structure and the ability to avoid detection.

2. Configuration Options: 

LockBit 3.0 is configured upon compilation with various options that determine its behavior. During execution, additional arguments can be supplied to further modify how the ransomware behaves, especially in terms of lateral movement and rebooting into Safe Mode.

3. Password Requirement:

LockBit 3.0 uses a password or cryptographic key during execution. If a LockBit affiliate does not have access to a passwordless version of LockBit 3.0, they must provide the correct password during execution. This password decrypts the ransomware’s executable code, making it unreadable in its encrypted form, which can hinder malware detection and analysis.

4. Language-Based Exclusion:

LockBit 3.0 has the capability to avoid infecting machines that have specific language settings. The ransomware has an exclusion list of languages, and if a system’s language matches one of those on the list, LockBit 3.0 will stop execution without infecting the system.

LockBit 3.0 is designed with multiple features that make it more versatile and difficult to detect, including its modular structure, the use of passwords, and the ability to avoid infecting systems with certain language settings. The CSA provided this information to help organizations understand the characteristics and behavior of this ransomware.

How it works 

LockBit ransomware works in a multi-stage process, and understanding how it operates can help in devising strategies to defend against it. Here’s a breakdown of how LockBit typically works:

1. Exploitation:

– LockBit typically gains entry to a network through various methods, including exploiting vulnerabilities or using social engineering techniques like phishing. Once inside, it conducts reconnaissance to identify valuable targets.

2. Infiltration:

– After initial access, LockBit conducts further reconnaissance to assess the network’s layout and identify high-value targets. It looks for weaknesses that can be exploited.

3. Privilege Escalation:

– If the initial access doesn’t provide sufficient privileges, LockBit attempts to escalate its access. This can involve exploiting vulnerabilities to gain higher-level access within the network.

4. Network Propagation:

– LockBit is known for its ability to spread autonomously within a network. It can identify other accessible hosts, connect them to infected ones, and share the infection using automated scripts. This self-propagation sets LockBit apart from other ransomware.

5. Data Encryption:

Once the network is prepared, LockBit initiates the encryption phase. It encrypts data across multiple machines, making it inaccessible. It may encrypt files with specific extensions and leave a ransom note with instructions in each folder.

6. Ransom Demand:

After encrypting the data, LockBit presents a ransom demand. Victims are provided with instructions on how to pay the ransom to receive a decryption key. Payment does not guarantee data recovery, and paying ransoms is discouraged by law enforcement.

7. Data Exfiltration (Optional):

– In some cases, LockBit operators may exfiltrate sensitive data before encryption. This data can be used for blackmail, putting additional pressure on victims to pay the ransom.

8. Extortion:
   – LockBit operators may threaten to publish stolen data if victims refuse to comply with ransom demands.

It’s important to note that LockBit’s ability to self-propagate and its autonomous behavior make it particularly challenging to detect and contain. This automation allows it to quickly infect multiple machines within a network, making containment and recovery more difficult.

The threats it poses China's Bank Hacked

LockBit ransomware poses significant threats to various industries due to its ability to disrupt operations, steal sensitive data, and demand ransoms. Here are the key threats it poses to industries:

1. Operational Disruption:

LockBit can cause essential functions to come to a sudden halt. Industries may experience downtime, impacting productivity, customer service, and revenue. In sectors like healthcare or manufacturing, downtime can affect patient care or production lines.

2. Financial Loss:

Ransom payments, even if made, do not guarantee data recovery. Industries may face significant financial losses associated with ransom payments, system restoration, and operational disruption.

3. Data Theft:

LockBit operators may steal sensitive data before encryption. This data can include customer records, financial information, proprietary intellectual property, and more. Data breaches can result in legal and reputational consequences.

4. Reputation Damage:

Industries handling customer data are at risk of damaging their reputation due to data breaches. Losing customer trust can have long-term consequences and lead to customer churn.

5. Legal and Regulatory Consequences:

Industries must comply with various data protection and privacy regulations. A data breach caused by ransomware can result in regulatory fines and legal action.

6. Supply Chain Disruption:

Ransomware attacks on key suppliers or service providers can disrupt an industry’s supply chain, affecting product availability and production schedules.

7. Network Compromise:

LockBit’s ability to spread autonomously within a network can lead to the compromise of multiple systems. This makes containment and cleanup more complex.

8. Increased Cybersecurity Costs:

Industries affected by ransomware often need to invest in enhanced cybersecurity measures, employee training, and incident response capabilities to prevent future attacks.

9. Extended Recovery Time:

Recovering from a ransomware attack can be time-consuming and costly. Industries may need to rebuild systems, restore data from backups, and investigate the extent of the breach.

10. Long-Term Impacts:

The long-term impact of a ransomware attack can be felt for years, with increased security spending, insurance premiums, and ongoing vigilance required to prevent future incidents.

To mitigate these threats, industries should prioritize robust cybersecurity measures, including regular data backups, employee training, strong access controls, and incident response planning. Cooperation with law enforcement and sharing threat intelligence can also help identify and track ransomware operators. Ultimately, proactive prevention and preparedness are key to mitigating the risks associated with LockBit and other ransomware threats.

Preventive Measures China's Bank Hacked

Preventing ransomware attacks, such as LockBit, requires a combination of proactive cybersecurity measures and user education. Here are essential steps to prevent ransomware:

1. Employee Training:

– Educate employees about the dangers of ransomware, phishing, and social engineering attacks. Encourage them to be cautious when clicking on links or opening email attachments.

2. Email Security:

– Implement strong email filtering and security solutions to detect and block phishing emails and malicious attachments.

3. Patch and Update Software:

– Keep all operating systems and software applications up to date with the latest security patches and updates to address vulnerabilities.

4. Endpoint Protection:

– Use reputable antivirus and anti-malware software on all devices. Enable real-time scanning and keep it up to date.

5. Access Control:

– Implement the principle of least privilege (PoLP), granting users only the access necessary for their roles. Limit administrative privileges.

6. Network Segmentation:

– Isolate sensitive systems and data through network segmentation to limit the spread of ransomware within a network.

7. Backup and Recovery:

– Regularly back up critical data and systems. Store backups offline or in an isolated environment. Test backup restoration procedures.

8. Multi-Factor Authentication (MFA):

– Enforce MFA to add an extra layer of protection for user accounts, especially for remote access.

9. User Behavior Analytics:

– Use user behavior analytics to monitor and detect unusual user activities that may indicate a ransomware infection.

10. Incident Response Plan:

– Develop and test an incident response plan that outlines the steps to take in the event of a ransomware attack.

11. Cybersecurity Solutions:

– Invest in advanced cybersecurity solutions that use behavior-based detection and threat intelligence to identify and prevent ransomware attacks.

12. Regular Security Audits:

– Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in your systems.

13. Regular Security Awareness Training:

– Continuously educate employees about evolving threats and best practices for cybersecurity.

14. Secure Remote Desktop Protocol (RDP):

– If using RDP, secure it with strong passwords, MFA, and network-level authentication. Limit RDP access to necessary users.

15. User Account Management:

– Remove outdated and unused user accounts to reduce potential attack surfaces.

16. Network Security:

– Implement intrusion detection and prevention systems, firewalls, and security monitoring to identify and block malicious activity.

17. Secure Backup Strategy:

– Ensure that backup solutions are secure and not directly accessible to attackers.

18. Threat Intelligence Sharing:

– Collaborate with industry groups and share threat intelligence to identify and track ransomware operators.

By following these preventive measures and maintaining a strong cybersecurity posture, corporate entities can significantly reduce the risk of falling victim to ransomware like LockBit. It’s important to remember that prevention and preparedness are key components of a successful defense against ransomware attacks.


Preventing LockBit and other ransomware attacks requires a combination of strong cybersecurity practices, regular backups, user training, and network security measures. Having a robust incident response plan is crucial to minimize the impact of a ransomware attack if prevention fails. As cyberattacks continue to evolve in sophistication and scale, the financial sector and businesses at large must remain vigilant and invest in robust cybersecurity measures to protect their operations and sensitive data from the growing threat of ransomware attacks.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles

Translate »