Ransomware Disrupts ICBC of China

Photo Credit: CNBC

A disruption in the U.S. Treasury market arm of the Industrial and Commercial Bank of China (ICBC) yesterday was confirmed to have been caused by a ransomware attack. This hack is the latest in a string of ransom-demanding hacks cited this year. While the ICBC said that it “successfully cleared” a number of U.S. Treasury trades executed on Wednesday as well as repo financing trades, it has been noted that the ransomware attack prevented the ICBC from settling Treasury trades on behalf of other market participants. Founded as a limited company in 1984, ICBC is a state-owned commercial bank. ICBC is the biggest of China’s “Big Four” banks and the world’s largest lender by assets, according to S&P Global.

The U.S. Treasury Department stated, “We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation.”

Based on independent confirmation, several sources claim that the ransomware used is called LockBit 3.0. Usually, but not always, an attacker is able to use a malicious link in order to obtain remote access as an administrator. The challenge with LockBit 3.0is the fact that it is its evasiveness and its modularity. According to the CISA (Cybersecurity and Infrastructure Security Agency) “If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware. LockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware.” This cryptographic key is needed to even have an opportunity to analyze the software. Making anti-malware provisions difficult for firms and governments.

LockBit, the group behind the software itself, calls its business model “ransomware-as-a-service”. It effectively sells its malicious software to other hackers, known as affiliates, who then go on to carry out cyberattacks. The group has been known to post on the dark web in both Russian and English yet is believed to be from the Netherlands.

In June, the U.S. Department of Justice charged a Russian national for his involvement in “deploying numerous LockBit ransomware and other cyberattacks” against computers in the U.S., Asia, Europe and Africa.

“LockBit actors have executed over 1,400 attacks against victims in the United States and around the world, issuing over $100 Mn in ransom demands and receiving at least as much as tens of millions of dollars in actual ransom payments made in the form of bitcoin,” the DOJ said in a press release in June.