Ransomware attacks continue to target large financial organizations. This time, it was China’s biggest lender to go under the attack. Last week, data hackers claimed they hacked into the US arm of the Industrial and Commercial Bank of China’s (ICBC) operations, forcing ICBC to pay an undisclosed amount as ransom. Russia-sponsored ransomware-as-a-service gang, LockBit, is speculated to be behind this ICBC Ransomware Attack. We spoke to leading cybersecurity experts and analysts from the industry to understand the potential repercussions of ransomware attacks on large-sized organizations.
David Critchley, Regional Manager at Armis said, “‘This attack illustrates the increasing vulnerability of banks to cyberattacks. Data from the Armis Asset Intelligence Engine shows that the finance and insurance sector experienced a staggering 276% surge in attack attempts in 2023, highlighting the critical need for enhanced cybersecurity measures.”
He added, “The repercussions can extend far beyond the target, rippling through financial markets. While the impact has so far been limited, it might not be next time. This can negatively affect pensions, investments, and consumer confidence. In short, one attack on a large bank could destabilize an entire economy. This hits everyone where it hurts the most: their pockets.”
Aviral Verma, an Information Security Specialist leading the Securin Research and Threat Intelligence team. As an NSA-certified Cyber Defense Ops analyst, Aviral shared his insights into the group’s history and common vulnerabilities they target so organizations can proactively defend themselves. The ICBC ransomware attack could have been prevented if security teams had taken LockBit’s operations seriously.
Aviral said, “LockBit has been known to target global financial institutions with great success in the past; last year, the group claimed to have infiltrated the Italian Revenue Agency and exfiltrated over 70 gigabytes of sensitive data. What is notable about the Industrial and Commercial Bank of China (ICBC) ransomware attack is its severity and impact on the global financial market. Although it is yet to be known whether the group successfully exfiltrated any information, the group did manage to disrupt ICBC’s operation which is just as serious, and the threat of continued disruption could have pressured internal leadership to meet the ransomware group’s demands.
LockBit was the most deployed ransomware of 2022 and has been top of the charts in 2023 as well. The ICBC attack comes mere days after the ransomware-as-a-service (RaaS) operation claimed an attack on Aerospace giant Boeing. According to CISA, LockBit has successfully extorted roughly $91 million across over 1,700 attacks against U.S. organizations alone since 2020.”
Another concerning layer to the attack is LockBit’s affiliation and known cooperation with the Russian state government. As international conflict mounts between state actors across the globe, cyberwarfare, and tactics might become more desperate and become a more prevalent threat.
“The situation may seem dire, but the cybersecurity community has documented LockBit’s tactics and provided security advisories to counteract them. Securin researchers have identified the following vulnerabilities in popular vendor products to be the most targeted by the LockBit ransomware group:
|CVE-2021-20028||SonicWall Secure Remote Access (SRA)|
|CVE-2021-22986||F5 Big IP|
|CVE-2022-22279||SonicWall Secure Remote Access (SRA)|
|CVE-2022-36537||Zkoss ZK Framework|
|CVE-2023-20269||Cisco Adaptive Security Appliance (ASA)|
Prioritizing these vulnerabilities will be a good first step for any organization looking to protect themselves against this threat.”
Javed Hasan, CEO and co-founder at Lineaje explained the role of CISA and NCA in calling out vulnerabilities in the US-based private organizational security programs. Javed said, “The theme of the 20th anniversary of National Cybersecurity Awareness Month is ‘Secure Our World.’ CISA and the National Cybersecurity Alliance (NCA) are focusing on four key behaviors during the month: password management, multi-factor authentication, phishing awareness, and software updates.
It’s encouraging to see CISA and the NCA call out the importance of software when it comes to proper security hygiene — and it makes sense. On average, organizations use over 130 applications per day and the average American has over 80 apps on their phones. However, focusing on updating software alone is only the tip of the iceberg. It takes significant effort to remediate vulnerabilities, so much so that software consumers would rather take the risk than fix the problem. The burden of creating and maintaining software has shifted too much to the right with customers bearing too much of the cost and effort.
“My call to action for developers and security teams: focus on building better software and using a better, most robust software supply chain. We can’t expect the average individual to bear the brunt of the burden of defense. Organizations need to focus on buying secure software and doing a thorough assessment of previous software to ensure its integrity. Only then will we be able to live in a much more secure world,” stated Javed.
Kevin Cole, Global Director of Product and Technical Marketing, Zerto, a Hewlett Packard Enterprise company highlighted the need to establish both proactive as well reactive countermeasures within an organization’s cybersecurity strategy. Kevin said, “In our research with the Enterprise Strategy Group (ESG), we found a majority of organizations (65%) view ransomware as a top threat to their business. Breaches can have a lasting impact on both consumers and businesses, so efforts to mitigate ransomware attacks, limit downtime, and ensure continuous availability are key. As threats continue to evolve, organizations must implement holistic cybersecurity strategies that prioritize both prevention and recovery. Attackers have proven they can breach fortified security structures, so companies need a plan in place for what to do once threat actors are in. The key to this is pairing real-time encryption detection with rapid recovery capabilities to radically limit data loss and downtime. For even more ironclad security, immutable data vaults that combine offline clean rooms with isolated recovery environments give companies the best chance of ensuring cyber resilience. No solution is a silver bullet, but the best approach is a robust defense-in-depth strategy that covers the full spectrum of detection, protection, response, and recovery.”
As we head into a big year from a geopolitical sense, ransomware groups could be stepping up their operations targeting the largest organizations, including banks, national security infrastructure, and healthcare systems. The big four enablers of cybercrimes- Russia, China, Iran, and North Korea, are likely to launch menacing ransomware attacks against major banks. The best way to contain these attacks is to presume anybody can fall victim to these groups, just like the ICBC ransomware attack. LockBit, for instance, has dented heavy blows on Accenture, Boeing, Thales, China Daily, and many others in the last two years. It has only gotten more deceptive since LockBit 2.0 made its way into the dark web in 2021, followed by the release of LockBit 3.0 in 2022. It has successfully intruded into the systems of 2000 companies, toppling the so-called best-in-class IT security and modernized cloud infrastructure.
As Exabeam’s Samantha Humphries said, “Too many organizations still see cybersecurity as everyone’s responsibility. While security awareness across the organization is important, a better approach is for security teams to take the time to understand the different roles, motivations, responsibilities, and business requirements of the people in their organizations.”