After a disruption in February, LockBit roared back in May, highlighting persistent cyber threats to the financial sector.
When law enforcement agencies said they had shut down the notorious LockBit hacker group earlier this year, it looked like good news for the financial institutions that were frequent targets of the gang's ransomware attacks. But recent developments suggest LockBit members have regrouped and are on the attack again, just as some cybersecurity experts warned they would.
In the time since the FBI, U.K. and European law enforcement agencies disrupted LockBit in February, there has been some encouraging news for victims and potential targets of LockBit. Last week, Dutch and Ukrainian law enforcement identified a Kyiv resident who worked with LockBit and other ransomware groups. The same day, the FBI announced it had acquired more than 7,000 decryption keys that can help victims of LockBit ransomware reclaim their data.
Despite the progress, LockBit has shown some signs of life. On May 8, the day after the FBI publicly identified LockBit's leader as Russian national Dmitry Khoroshev, the gang claimed responsibility for a breach against the city of Wichita, Kansas. On May 23, the group published data it claims it stole from London Drugs, a Canadian pharmacy chain. So far in June, the group has claimed responsibility for 12 separate ransomware attacks, according to the group's victim-shaming blog.
The group "surged in prevalence after a short hiatus," according to a report released Monday by Check Point Software, an American-Israeli provider of security software. LockBit accounted for roughly one third of the attacks publicly claimed by ransomware groups tracked by Check Point.
"While law enforcement bodies managed to temporarily disrupt the LockBit cybergang by exposing one of its leaders and affiliates in addition to releasing over 7,000 LockBit decryption keys, it is still not enough for a complete takedown of the threat," the report reads. "It is not surprising to see them regroup and deploy new tactics to continue in their pursuits."
LockBit is only one of several ransomware gangs banks need to worry about. In a report released in March by the Financial Services Information Sharing and Analysis Center (FS-ISAC), the cybersecurity consortium for financial companies specifically named a number of threats that have recently menaced the sector, including Alphv, Qakbot and TA569.
The hacker group is threatening to publish personal data from multiple U.S. financial institutions and using known vulnerabilities to get into their systems.
Alphv, also known as BlackCat, is a ransomware group that in 2023 attacked financial software firm MeridianLink, casino and resort groups MGM Resorts and Caesars Entertainment, point of sale manufacturer NCR and ATM provider QSI. Last year, Alphv was the second most prolific ransomware group, behind only LockBit, according to cybersecurity firm Cyberint.
Qakbot is botnet malware that threat actors initially designed to target banking applications specifically, but the Trojan has evolved, and threat actors can now use the malware to target systems in other sectors, according to FS-ISAC. The malware is notable because the FBI announced in August that it had disrupted Qakbot, but cybersecurity experts found evidence that the threat actor behind it began distributing a new kind of ransomware around the same time.
TA569 is an initial access broker that sells access to networks compromised by SocGholish, a type of malware that masquerades as software updates (hence its alternative name FakeUpdates). TA569 compromises vulnerable websites to display fake messages that the user's browser needs to be updated, a tactic FS-ISAC says other groups have copied.
SocGholish and Qakbot were two of the top five malware families reported by FS-ISAC members in 2023. The other three were Agent Tesla, AsyncRAT and NetSupport RAT. Each of these three malware families is a type of remote access Trojan), which enables the attacker to monitor or control the infected system and disguise themselves as legitimate software.
A district court has agreed to halt compliance with the Consumer Financial Protection Bureau's Biden-era open banking rule while the Trump administration pursues its own rule.
The Federal Open Market Committee is expected to announce guidance on the end of its quantitative tightening program later Wednesday. As that process draws to a close, experts are questioning when and how the central bank should use its balance sheet to smooth economic stress in the future.
The Consumer Financial Protection Bureau is rescinding two rules issued under former CFPB Director Rohit Chopra that required nonbanks to register court orders, plus terms and conditions of contracts.
The payments giant had a "better than expected" fiscal fourth quarter, and said it expected that momentum to carry through the holidays. It's also looking forward to tailwinds brought by the Olympics and the FIFA World Cup in 2026.
Brian McEvoy, chief retail banking officer at Webster Five in Central Massachusetts, says community banks are in a unique position to serve more small businesses. He was a speaker Tuesday at American Banker's 2025 Small Business Banking conference.
