LockBit caused a stir in the security community this week after claiming to have breached the US Federal Reserve – and experts skeptical of the claims have been vindicated after calling the ransomware group’s bluff.
On 23 June 2024, the ransomware operator posted the Federal Reserve on its dark web leak site along with the demand the Fed appoint a new negotiator by 25 June or it would publish 33TB of stolen data.
As the deadline passed, however, LockBit published the 33TB and researchers got to work analyzing the material, only to find it was predominantly made up of parent directories, torrent files, and archives from banking as a service provider Evolve Bank & Trust.
The only mention of the Federal Reserve is in a document in which the Fed issued a cease and desist order against the bank for multiple deficiencies in the bank’s risk management, anti-money laundering, and compliance practices.
In a statement released on 26 June 2024, Evolve Bank & Trust advised customers it was currently investigating a cyber security incident, confirming their debit cards and online banking credentials do not appear to have been affected, but warned some personal information may have been compromised.
“It appears these bad actors have released illegally obtained data, including Personal Identification Information (PII), on the dark web. The data varies by individual but may include your name, Social Security Number, date of birth, account information and/or other personal information.”
The statement added that any affected customers will be offered complimentary credit monitoring and identity theft protection services.
ITPro has approached Evolve Bank & Trust for clarification on the authenticity of the data published by LockBit.
Unclear if LockBit lied intentionally or simply made a mistake
Andrew Costis, chapter lead of the Adversary Research Team at AttackIQ, said it’s still up for debate whether LockBit intentionally lied about the data they had obtained, or if it was simply a mistake caused by mentions of the Fed’s investigation into Evolve in some of the stolen documents.
“As it turns out, it was in fact Evolve Bank & Trust who was the victim of LockBit, and not the Federal Reserve. This was verified once the information was posted and the data was analyzed,” he explained.
“It’s concerning that a bank has fallen victim to LockBit this time, particularly the fact that 33 TB of data was successfully exfiltrated. It’s unclear as to whether LockBit deliberately lied/bluffed about attacking the Federal Reserve, or if that was a mistake on their side.”
The fact that the group failed to provide a data sample when posting the Federal Reserve on their leak site, as the group is known to do, indicates the group was aware the data was not legitimate, however.
Costis added whether it was being intentionally misleading or not there could be more to come from LockBit and that enterprises should use the available information about how the group operates to keep themselves protected.
“It remains uncertain whether there is more to come from LockBit. That said, organizations in the financial industry must prioritize proactive defense, with a strong focus on threat detection and response,” he said.
“By utilizing LockBit’s common tactics, techniques, and procedures (TTPs), organizations can test their systems response to identify and address any vulnerabilities before they can be exploited.”