On June 23, 2024, the LockBit cybercriminal group that offers ransomware as a service (RaaS) announced that it had infiltrated the systems of the Federal Reserve, compromising thirty-three terabytes of sensitive banking information. The notorious ransomware group gave the Federal Reserve just two days to pay up. To prove its claims, the group posted files that looked like parent directories, torrents, and compressed archive files, sharing a sample of stolen data from Evolve Bank & Trust. If true, this breach could have posed a serious threat to the entire banking system. Fortunately for the world economy, the Federal Reserve breach was a publicity stunt.
A Lie with a Kernel of Truth
Just before LockBit’s stunt, the Federal Reserve issued an enforcement action against Evolve for “deficiencies in the bank’s anti-money laundering, risk management, and consumer compliance programs.” This assessment was unfortunately proven accurate when Evolve confirmed that it was the victim of a ransomware attack by LockBit in July.
Data belonging to more than 7.6 million customers was stolen during a break-in using the LockBit ransomware software in late May. The breach notification also confirmed that the data theft affected at least three of its partners and Evolve expects the number of persons affected to rise as investigations continue. While the attackers don’t appear to have accessed any company funds, they were able to download customer information from databases and a file share.
When LockBit first announced the Federal Reserve breach, opinions were divided on the threat, highlighting the difficulty of assessing the credibility of a threat by such groups. In May 2024 alone, LockBit claimed responsibility for over 150 out of the 450 ransomware attacks reported, highlighting its aggressive activity despite international efforts by law enforcement agencies to disrupt it earlier in the year by seizing control of darknet websites that belonged to the gang. Recently identified targets include Saint Anthony Hospital in Chicago, specialized machinery supplier Grimme in Denmark, Manchester Fertility Services in the UK, and electromechanical and marine engineering services firm Semesco in Cyprus, illustrating LockBit’s wide reach. These attacks demonstrate the ongoing threat the group poses to diverse industries worldwide; they are a credible threat and have the capabilities required to carry out a successful attack.
Reacting to Ransomware
Despite a demand for payment, neither the Federal Reserve nor Evolve Bank & Trust chose to pay the ransom. Doing so comes with significant risks; attackers may not provide a decryption key (or at least a working one), they may still release the stolen data or retain it for future use, and payment can become an incentive for future attacks, either by the same group or other malicious actors.
In fact, paying ransoms to some groups or individuals may in itself be illegal. The federal government lacks laws specifically regarding ransomware, but ransom payments are considered a type of transaction; the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) both include rules prohibiting foreign financial engagement. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) handles most of these violations, which may result in civil penalties or even prison time if individual people’s actions are considered criminal or criminally negligent. Similarly, the UK government advises against making or facilitating ransomware payments and warns that those who do so will be subject to financial sanctions.
While all parties acknowledge the difficulties involved for organizations undergoing a ransomware attack, paying the ransom is never the right answer. Payment funds these gangs, encourages them to continue their criminal activities, and in any case does not provide a viable remedy. It is not a reliable way to recover or decrypt stolen data, does not protect customers from having sensitive information released, and does nothing to repair the loss of trust incurred by such an incident.
Mitigating the LockBit Threat
While the Federal Reserve remains safe, for now, financial institutions must strengthen their cybersecurity measures to mitigate the threats LockBit and others like them continue to present.
The Cybersecurity and Infrastructure Security Agency (CISA) created the Ransomware Vulnerability Warning Pilot (RVWP) “to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks” and notify system owners of these security vulnerabilities. This effort enables financial institutions and others to address vulnerabilities before they are used to carry out an attack.
In addition to awareness about and mitigation of known vulnerabilities used by ransomware groups, organizations must harden their environments in other ways. This includes implementing email security solutions to defend against phishing and other email-based attacks, which are common entry points for ransomware. Additionally, financial institutions can use advanced threat protection capable of defending against zero-day vulnerabilities and unknown malware as well as segregate operational networks where possible. These measures can help organizations prevent data leakage and limit the impact of any potential breach.
