After a disruption in February, LockBit roared back in May, highlighting persistent cyber threats to the financial sector.
When law enforcement agencies said they had shut down the notorious LockBit hacker group earlier this year, it looked like good news for the financial institutions that were frequent targets of the gang's ransomware attacks. But recent developments suggest LockBit members have regrouped and are on the attack again, just as some cybersecurity experts warned they would.
In the time since the FBI, U.K. and European law enforcement agencies disrupted LockBit in February, there has been some encouraging news for victims and potential targets of LockBit. Last week, Dutch and Ukrainian law enforcement identified a Kyiv resident who worked with LockBit and other ransomware groups. The same day, the FBI announced it had acquired more than 7,000 decryption keys that can help victims of LockBit ransomware reclaim their data.
Despite the progress, LockBit has shown some signs of life. On May 8, the day after the FBI publicly identified LockBit's leader as Russian national Dmitry Khoroshev, the gang claimed responsibility for a breach against the city of Wichita, Kansas. On May 23, the group published data it claims it stole from London Drugs, a Canadian pharmacy chain. So far in June, the group has claimed responsibility for 12 separate ransomware attacks, according to the group's victim-shaming blog.
The group "surged in prevalence after a short hiatus," according to a report released Monday by Check Point Software, an American-Israeli provider of security software. LockBit accounted for roughly one third of the attacks publicly claimed by ransomware groups tracked by Check Point.
"While law enforcement bodies managed to temporarily disrupt the LockBit cybergang by exposing one of its leaders and affiliates in addition to releasing over 7,000 LockBit decryption keys, it is still not enough for a complete takedown of the threat," the report reads. "It is not surprising to see them regroup and deploy new tactics to continue in their pursuits."
LockBit is only one of several ransomware gangs banks need to worry about. In a report released in March by the Financial Services Information Sharing and Analysis Center (FS-ISAC), the cybersecurity consortium for financial companies specifically named a number of threats that have recently menaced the sector, including Alphv, Qakbot and TA569.
The hacker group is threatening to publish personal data from multiple U.S. financial institutions and using known vulnerabilities to get into their systems.
Alphv, also known as BlackCat, is a ransomware group that in 2023 attacked financial software firm MeridianLink, casino and resort groups MGM Resorts and Caesars Entertainment, point of sale manufacturer NCR and ATM provider QSI. Last year, Alphv was the second most prolific ransomware group, behind only LockBit, according to cybersecurity firm Cyberint.
Qakbot is botnet malware that threat actors initially designed to target banking applications specifically, but the Trojan has evolved, and threat actors can now use the malware to target systems in other sectors, according to FS-ISAC. The malware is notable because the FBI announced in August that it had disrupted Qakbot, but cybersecurity experts found evidence that the threat actor behind it began distributing a new kind of ransomware around the same time.
TA569 is an initial access broker that sells access to networks compromised by SocGholish, a type of malware that masquerades as software updates (hence its alternative name FakeUpdates). TA569 compromises vulnerable websites to display fake messages that the user's browser needs to be updated, a tactic FS-ISAC says other groups have copied.
SocGholish and Qakbot were two of the top five malware families reported by FS-ISAC members in 2023. The other three were Agent Tesla, AsyncRAT and NetSupport RAT. Each of these three malware families is a type of remote access Trojan), which enables the attacker to monitor or control the infected system and disguise themselves as legitimate software.
The retail giants are kicking the tires on their own currencies. The potential prize is a way to reimagine prepaid cards and gain a key position as new forms of artificial intelligence-powered payments take off.
Primis Bank plans to sell an undisclosed amount of its 19% ownership stake in Panacea Financial, a digital-only lender focusing on medical professionals and veterinarians. The deal should yield $22 million.
The impact of President Trump's tariffs is the top concern for most middle-market American businesses, a new KeyBank survey found. But these firms also view the scrambled landscape as a chance to innovate and restructure.
The Federal Reserve Board banned a former relationship banker in Arkansas after he was caught stealing customer funds; Benchmark Federal Credit Union plans to merge with Franklin Mint Federal Credit Union to form a $2.1 billion-asset institution; Robin Vince, CEO of Bank of New York Mellon since 2022, has been elected chairman of the board; and more in this week's banking news roundup.
