Table of Contents
Don’t miss the leaders from OpenAI, Chevron, Nvidia, Kaiser Permanente, and Capital One at VentureBeat Transform 2024. Gain essential insights about GenAI and grow your network during this exclusive three-day event. Learn more
The infamous – and notoriously aggressive – ransomware gang LockBit is once again at the top of the cybersecurity headlines, after boldly claiming that it successfully hacked 33 terabytes of sensitive data from the Federal Reserve. Furthermore, the group has insinuated that the FBI only offered $50,000 to prevent this data from leaking – which LockBit reportedly just did because its demands were not met.
LockBit mocked and taunted government negotiators on its leak site, saying: “33 terabytes of juicy banking information containing Americans’ banking secrets. You better hire another negotiator within 48 hours and fire this clinical idiot who values US bank secrecy at $50,000.”
The claim comes just months after an international task force crippled the group’s infrastructure (34 servers and 14,000 accounts) and authorities arrested key alleged leaders. Given this overthrow, many industry experts and onlookers are skeptical as to whether this claim is true – but given the group’s past tactics, it isn’t out of the question either.
“At this stage we feel that LockBit’s announcement could be a hoax,” said Aviral Verma, chief threat intelligence analyst for Safe. “The group has not published any examples of stolen data, contrary to their usual practices.”
Countdown to VB Transform 2024
Join business leaders in San Francisco from July 9 to 11 for our flagship AI event. Connect with colleagues, explore the opportunities and challenges of generative AI, and learn how to integrate AI applications into your industry. register now
Early reports seem to indicate just that, as the just-leaked data is believed to come from a bank that was recently sanctioned by the Federal Reserve for “deficiencies in the bank’s anti-money laundering, risk management and consumer compliance programs.”
An attention-seeking stunt?
LockBit has historically been the “most prolific and widespread ransomware strain in the world,” explains John Hammond, chief security researcher at Huntress, whose team was an integral part of ending the group in February. They operate a ransomware-as-a-service model where they have commoditized their encryption tools so that other malicious actors can provide new potential victims as initial entry brokers.
The group’s MO is to go after high-profile targets and publicly denounce them if they refuse to pay, then leak sensitive information on their site (in the case of The Boeing Companyfor example, they shared 50 gigabytes of data). At the same time, the gang has made false claims that were quickly dismissed – for example against the cybersecurity of Darktrace and Mandiant.
“This will not be the first time that the group has made false claims,” Verma said. “The group had even claimed the FBI as one of its victims, out of frustration after Operation Cronos (the removal of the LockBit infrastructure).”
He noted that it may simply be an attention-seeking stunt, or even a “trick to regain fame among potential partners.”
After its dismantling in February, LockBit appears to be “in a state of despair,” said Ferhat Dikbiyik, chief research and intelligence officer of Black Kite. The group could try to regain its credibility and recruit affiliates by highlighting such high-profile attacks.
“These statements may be misleading, false or grossly exaggerated,” Dikbiyik said. “I urge the community and organizations to approach these claims with extreme caution.”
It’s unusual for ransomware groups to successfully penetrate such important institutions without “swift retaliation or recognition,” he said. The scale of the alleged breach and the ‘dramatic story’ could well be part of a broader strategy to spread fear and re-establish dominance in the cybercrime ecosystem.
“Lockbit has a reputation for being dramatic and has made many false hacking claims, so we have to take everything they claim with a fairly large grain of salt,” said Chester Wisniewski, Global Field CTO at Sophos. “Unless the Fed confirms the breach, this is purely conjecture and we should all just move on and stop giving them the attention they so desperately crave.”
Dismissive, comical response
On its leak site, LockBit mocks the silly payouts and outlines the structure of the Federal Reserve for context, noting that it distributes money through twelve banking districts in the US, including the major cities of Boston, NYC, Philadelphia, Richmond, Atlanta, Dallas. , Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City and San Francisco.
“The US negotiator’s $50,000 offer was seen as an insult given the true value of the 33 terabytes of data they claimed to have stolen,” said Peter Avery, vice president of security and compliance at Visual Edge IT.
This data likely includes sensitive citizen information, banking information, wiring numbers and possibly encryption keys that could be worth hundreds of millions of dollars, he noted. The group’s response was “not only dismissive, but almost comical.”
“LockBit has made at least half a billion dollars to date, so they’re going to laugh at the small payments offered by one of the most strategically important financial institutions in the world,” agreed Matt Radolec, VP of incident response and cloud operations. bee Varonis.
If the claims are true, the gang will “probably stick around for a while” and negotiate with the FBI, he predicted, also warning that “they usually mean it when they say they will leak data.”
This, he noted, should make us ask the question, “Why does the Federal Reserve place so little value on this data?”
If it is true…
An attack on government infrastructure is not unprecedented: Governments have long been top targets for ransomware gangs because they often hold highly sensitive data and have hybrid cloud and on-premise environments that increase their attack surface, says John Paul Cunningham, CISO bee Silverfort.
“If LockBit were indeed to carry out this attack, it would likely impact the availability and viability of the Federal Reserve’s entire technology ecosystem,” he said. But it is also in the crosshairs of law enforcement, as evidenced by its recent removal. “If this latest attack proves true, LockBit’s freedom will be counted in the coming weeks.”
Hammond noted that the intrusion or compromise of an organization in the Federal Reserve’s position could mean “just downright chaos.” Without historical precedent, it is difficult to say for sure, he noted, but it is certainly easy to imagine: the banking system may have to be closed, monetary policy may be unreliable, prices and interest rates may be destabilized or confidence in the consumer protection would be affected. .
“Given the size and scale of the Federal Reserve and the potential impact, it’s a strange line between what could be reality or what could just be overblown paranoia,” Hammond said.
Without confirmation from the Federal Reserve, we’ll have to take LockBit’s operators at their word, said Marc Laliberte, director of security operations at WatchGuard Technologies.
“It is within the realm of possibility – perhaps even likely, given the group’s track record – that they successfully stole 33 terabytes of banking data,” he said.
Ultimately, this puts the Federal Reserve in a difficult position that thousands of private organizations face every year: Do they pay the ransom and trust the group to stay true to its word and delete the stolen data? Or will they accept that the data has already been lost and not give in to LockBit’s demands?
“At this time, only the Federal Reserve and its government partners such as CISA and the FBI know the credibility of LockBit’s claims, and the true risk of the allegedly stolen data becoming public,” Laliberte said. “It is now in the hands of these teams to make a business decision on whether or not to pay the extortion.”