After a disruption in February, LockBit roared back in May, highlighting persistent cyber threats to the financial sector.
When law enforcement agencies said they had shut down the notorious LockBit hacker group earlier this year, it looked like good news for the financial institutions that were frequent targets of the gang's ransomware attacks. But recent developments suggest LockBit members have regrouped and are on the attack again, just as some cybersecurity experts warned they would.
Processing Content
In the time since the FBI, U.K. and European law enforcement agencies disrupted LockBit in February, there has been some encouraging news for victims and potential targets of LockBit. Last week, Dutch and Ukrainian law enforcement identified a Kyiv resident who worked with LockBit and other ransomware groups. The same day, the FBI announced it had acquired more than 7,000 decryption keys that can help victims of LockBit ransomware reclaim their data.
Despite the progress, LockBit has shown some signs of life. On May 8, the day after the FBI publicly identified LockBit's leader as Russian national Dmitry Khoroshev, the gang claimed responsibility for a breach against the city of Wichita, Kansas. On May 23, the group published data it claims it stole from London Drugs, a Canadian pharmacy chain. So far in June, the group has claimed responsibility for 12 separate ransomware attacks, according to the group's victim-shaming blog.
The group "surged in prevalence after a short hiatus," according to a report released Monday by Check Point Software, an American-Israeli provider of security software. LockBit accounted for roughly one third of the attacks publicly claimed by ransomware groups tracked by Check Point.
"While law enforcement bodies managed to temporarily disrupt the LockBit cybergang by exposing one of its leaders and affiliates in addition to releasing over 7,000 LockBit decryption keys, it is still not enough for a complete takedown of the threat," the report reads. "It is not surprising to see them regroup and deploy new tactics to continue in their pursuits."
LockBit is only one of several ransomware gangs banks need to worry about. In a report released in March by the Financial Services Information Sharing and Analysis Center (FS-ISAC), the cybersecurity consortium for financial companies specifically named a number of threats that have recently menaced the sector, including Alphv, Qakbot and TA569.
The hacker group is threatening to publish personal data from multiple U.S. financial institutions and using known vulnerabilities to get into their systems.
Alphv, also known as BlackCat, is a ransomware group that in 2023 attacked financial software firm MeridianLink, casino and resort groups MGM Resorts and Caesars Entertainment, point of sale manufacturer NCR and ATM provider QSI. Last year, Alphv was the second most prolific ransomware group, behind only LockBit, according to cybersecurity firm Cyberint.
Qakbot is botnet malware that threat actors initially designed to target banking applications specifically, but the Trojan has evolved, and threat actors can now use the malware to target systems in other sectors, according to FS-ISAC. The malware is notable because the FBI announced in August that it had disrupted Qakbot, but cybersecurity experts found evidence that the threat actor behind it began distributing a new kind of ransomware around the same time.
TA569 is an initial access broker that sells access to networks compromised by SocGholish, a type of malware that masquerades as software updates (hence its alternative name FakeUpdates). TA569 compromises vulnerable websites to display fake messages that the user's browser needs to be updated, a tactic FS-ISAC says other groups have copied.
SocGholish and Qakbot were two of the top five malware families reported by FS-ISAC members in 2023. The other three were Agent Tesla, AsyncRAT and NetSupport RAT. Each of these three malware families is a type of remote access Trojan), which enables the attacker to monitor or control the infected system and disguise themselves as legitimate software.
Part of the growing "phishing-as-a-service" economy, the Spiderman kit offers novice hackers sophisticated tools to target customers of major EU institutions.
Banks may need to offer people over the age of 65 more than just digital experiences, according to an executive at J.D. Power, which surveyed more than 11,000 retail banking customers.
In a move some industry observers call "dangerous and irresponsible," the administration is taking down consumer protection guardrails that have been put up by states like California and Colorado.
Rohit Chopra is named senior advisor to the Democratic Attorneys General Association's working group on consumer protection and affordability; Flagstar Bank adds additional wealth-planning capabilities to its private banking division; Chime promotes three members of its executive leadership team; and more in this week's banking news roundup.
The Office of the Comptroller of the Currency Friday approved national trust charter applications for five crypto firms, affirming the administration's push to allow crypto companies the ability to take deposits.
Kansas City Federal Reserve President Jeffrey Schmid and Chicago Fed President Austan Goolsbee said in statements Friday that their dissents from this week's interest rate decision were spurred by inflation concerns and a lack of sufficient economic data.
