BEIJING (BLOOMBERG) – In January, it hacked the UK’s Royal Mail and halted international mail shipments, then it struck a British fintech firm, paralysing global derivatives trading. It has also crippled Japan’s biggest maritime port and struck Boeing Co’s parts and distribution business.
But arguably none of the recent cyberattacks orchestrated by LockBit – one of the most prolific ransomware gangs of all time – has shaken the financial world more than its hack of Industrial & Commercial Bank of China Ltd. The breach disclosed Thursday by the largest global lender by total assets blocked some Treasury market trades from clearing, forcing brokers and traders to reroute transactions.
“This is a true shock,” Marcus Murray, founder of the Swedish cybersecurity firm Truesec. It’s the kind of large-scale, high-profile attack that “will make large banks around the globe race to improve their defences, starting today.”
LockBit’s devastation has been roughly four years in the making. The group has been active since at least the start of 2020 and has hacked as many as 1,000 victims globally, extorting more than USD100 million in ransom demands, according to the US Justice Department. The group’s members have been tied to Russia and are active on Russian-language cybercriminal forums, according to industry experts.
The gang is what’s known as a “ransomware as a service” enterprise. Core LockBit hackers develop malware and other tools. Freelance cybercriminals then sign up with LockBit to gain access to their tools and infrastructure and do the hacking themselves. When attacks are successful, LockBit gets a commission – typically around 20 per cent of any ransom paid, according to cybersecurity firms.
“They run it like a business, and that’s the best way to explain it,” Jon DiMaggio, chief security strategist at Analyst1, said in an interview earlier this year. “The founder of LockBit runs it as if he were Steve Jobs, which is successful for them but very bad news for the rest of us.”
LockBit hackers use so-called ransomware to infiltrate systems and hold them hostage. They demand payment to unlock the computers they’ve compromised and often threaten to leak stolen data to pressure victims to pay.
The gang’s victims span Europe and the US, as well as China, India, Indonesia and Ukraine, according to cybersecurity firm Kaspersky.
Researchers have long studied LockBit’s hacking tools, determining that the group regularly updates its malicious software in order to avoid detection from cybersecurity products. One strain of malware, dubbed LockBit Black, showed that the gang had experimented with a kind of self-spreading malware that would make it easier for hackers to infiltrate victim organizations without the technical expertise typically required to do so, Sophos Group Ltd researchers wrote in a blog post.
Exactly how many people are involved in LockBit and where they are based is unknown, but the gang has said on its website that it doesn’t attack post-Soviet Union countries because most of its developers and partners were born and grew up there.
As of early Friday, ICBC hadn’t been listed on LockBit’s website as a victim. That’s not unusual, said Mattias Wåhlén, a threat intelligence expert with Truesec. “Many initial ransom notes contain the offer that, if victims pay swiftly, the ransomware group will not publish the victim’s name at all, to save public embarrassment.”
Eric Noonan, chief executive officer of the security services firm CyberSheath, described LockBit as “the most deployed ransomware in the world in 2022,” noting that it has also been “pretty active” this year. Still, Noonan said: “It really is surprising that a Chinese bank was targeted.”
Because the Chinese government banned trading in crytocurrency – hackers’ preferred method of payment – gangs don’t often target the region, according to Wåhlén. China has also traditionally been considered an ally to Russia, he said, making it a lesser target of those with Russian ties.
“If that targeting turns out to be an error, Noonan said, “we could see LockBit aid in the recovery by providing free decryption as they have in the past when the wrong victims have been targeted.”
Then again, LockBit hackers have in the past made it clear that they’re equal opportunists. In a statement issued early last year, they described themselves as “apolitical.”
“For us, it is just business,” the gang said. “We are only interested in money for our harmless and useful work.”