World's largest bank, ICBC, faces cybersecurity breach: Know all about LockBit 3.0 ransomware

The US financial services division of the Industrial and Commercial Bank of China (ICBC), the globe's largest lender by assets, fell victim to a ransomware attack earlier this week. The attack reportedly led to disruptions in the trading of US Treasurys.

ICBC officially disclosed the incident on Thursday, attributing the disruption to its financial services arm, ICBC Financial Services. The bank revealed that it promptly isolated the affected systems upon detecting the attack to contain its impact. Ransomware attacks involve hackers seizing control of systems and demanding a ransom for their release, and ICBC stated it is actively investigating the incident with the support of information security experts and law enforcement.

Despite ICBC claiming to have successfully cleared US Treasury trades executed on Wednesday and repo financing trades on Thursday, various news outlets, including the Financial Times, reported disruptions to US Treasury trades. The ransomware attack allegedly prevented ICBC from settling Treasury trades on behalf of other market participants.

The US Treasury Department acknowledged the cybersecurity issue, stating, "We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation."

ICBC stressed that the email and business systems of its US financial services arm operate independently of its China operations, ensuring no impact on the broader organisation's functions.

LockBit 3.0

As the investigation unfolded, cybersecurity experts identified the ransomware used in the attack as LockBit 3.0. It is characterised as "more modular and evasive" by the U.S. government’s Cybersecurity and Infrastructure Security Agency, and is notoriously difficult to analyse. The ransomware, responsible for nearly 28% of known ransomware attacks from July 2022 to June 2023, operates under the business model of "ransomware-as-a-service," selling its malicious software to affiliates who execute cyberattacks.

LockBit, the group behind the software, has a history of targeting small and medium-sized businesses and has previously claimed responsibility for ransomware attacks on entities like Boeing and the UK's Royal Mail. In June, the US Department of Justice charged a Russian national for involvement in deploying LockBit ransomware, citing over 1,400 attacks worldwide and ransom demands exceeding $100 million.

What is Ransomware?

Ransomware is a type of malicious software (malware) that encrypts or locks the files on a victim's computer or network. The attackers then demand a ransom, usually in cryptocurrency, from the victim to provide the decryption key or to unlock the files. The goal of ransomware attacks is to extort money from individuals, businesses, or organisations by threatening to permanently deny access to their data.

Ransomware can infiltrate a system through various means, such as phishing emails, malicious attachments, or exploiting vulnerabilities in software. Once the malware is activated, it encrypts the victim's files, making them inaccessible. The victim is then presented with a ransom note, which includes instructions on how to make the payment to receive the decryption key.