In a dramatic turn, the LockBit ransomware group has claimed to have stolen a vast trove of files from the US Federal Reserve and Evolve Bank and Trust, alleging a breakdown in ransom negotiations. The group threatened to release 33 terabytes of sensitive banking data if their demands weren’t met, accusing the Federal Reserve of undervaluing American bank secrecy. This escalation follows a cease-and-desist order issued to Evolve Bank for banking violations by federal regulators. Despite skepticism from cybersecurity experts about the claims’ validity, the incident underscores ongoing cybersecurity threats to critical institutions like the Federal Reserve.
The Russian-affiliated group released 21 unique URLs containing files that appear to be parent directories, torrents, and compressed archive files from another US financial institution, Evolve Bank and Trust.
The bank and its parent business, Evolve Bancorp Inc., were recently singled out by the Federal Reserve for engaging in risky and unsound banking activities.
LockBit mentioned the Federal Reserve on its dark victim blog over the weekend, threatening to disclose the alleged stolen data on June 25th if a ransom was not paid by the deadline.
Claiming to have obtained “33 terabytes of juicy banking information containing Americans’ banking secrets,” the group also implied that negotiations had broken down due to an unacceptable ransom offer from the US central bank.
“You better hire another negotiator within 48 hours, and fire this clinical idiot who values Americans’ bank secrecy at $50,000,” LockBit stated on its secret site.
Meanwhile, the Federal Reserve Board issued a cease-and-desist order to Evolve Bank and Trust this month, alleging numerous “deficiencies” in the bank’s anti-money laundering, risk management, and consumer compliance systems.
The independent consumer banking-as-a-service and mortgage lender, headquartered in Memphis, Tennessee, services people and small businesses in at least 17 states throughout the US, with assets estimated to be $1.3 billion in 2022, according to its website.
Evolve is also noted for its open banking collaborations with Fintech platforms like Mastercard, Visa, Affirm, Melio, Stripe, and Airwallex.
As part of the stolen collection, LockBit kindly attached a Federal Reserve press release from June 14th regarding the Evolve enforcement action.
According to Josh Jacobson, Director of Professional Services at HackerOne, LockBit’s threats demonstrate that “even our most integral governmental entities are not infallible to ransomware attacks.”
“If the Federal Reserve is impacted, that could have global implications. This is not a siloed infrastructure where a finite number of customers are impacted. The potential for residual impact definitely factors in, as well as long-term reputation and trust,” he said.
Is LockBit bluffing?
Many security insiders discounted the group’s assertion on Monday, believing it was more likely a bluff geared at US law enforcement for its systematic and sometimes successful targeting of the gang over the last six months.
Jacobson observed that LockBit’s warnings frequently emphasize “impact and urgency,” raising the victim’s “fight or flight mentality.” It’s a frequent technique that works well for ransomware gangs, according to Jacobson.
A victim thinks, “Goodness, this is bad, and I have to do something right now, and I am under a lot of pressure,” he added, adding that “the uncertainty exacerbates the event.”
“At this stage, we sense that LockBit’s announcement might be a hoax,” agreed Aviral Verma, Lead Security Analyst at the cybersecurity firm Securin.
Verma also out that, until Tuesday, the gang had not publicized any samples of stolen data, which was contrary to their regular practice.
“This won’t be the first time the group has made false claims, the group had even claimed the FBI as one of its victims out of frustration,” Verma said, referring to February’s temporary takedown of the group, dubbed Operation Cronos.
“There’s suspicion that the Federal Reserve claim might just be attention seeking, or even a ploy to regain notoriety among potential affiliates,” Verma told the audience.
LockBit behind 48% attacks in 2023
The cybercriminal organization has successfully evaded law enforcement since its formation in late 2019.
The LockBit cartel, which operates on a Ransomware-as-a-Service (RaaS) basis, is reported to have carried out over 1,400 attacks on victims in the United States and around the world, including Asia, Europe, and Africa.
Nonetheless, the gang experienced a significant setback this spring when the multinational Operation Cronos, led by the FBI and Interpol, hacked the group’s network infrastructure, teasing the gang with a seizure notice splashed over the LockBit leak site’s home page.
Even after the FBI publicly exposed its Russian ringleader LockbitSupp, with his image and other personal information, including the car he drives, LockBit was business as usual, starting a new leak site and targeting multiple US hospitals within days.
The threat actors’ notorious ransomware variant LockBit 3.0, also known as LockBit Black, is now in its third incarnation and is regarded as the most evasive of all previous strains, according to a US Department of Justice assessment.
The Boeing Company, Allen & Overy, and the massive 2023 exploit of the Citrix bug zero-day vulnerability have all been targets of major attacks in the last year. Recently, the organization boasted of attacks on Deutsche Telekom and the Cannes Hospital in France.
Earlier this month, the FBI reported that it had found 7,000 decryption keys, which are intended to assist victims in recovering their stolen data.
Recently, GreatGameIndia reported that in a shocking turn, the notorious ransomware group LockBit 3.0 has declared it successfully breached the Federal Reserve of the United States, claiming to have stolen a massive 33 terabytes of sensitive banking data.
