Ransomware Attack Hits Chinese Banking System

A ransomware attack against the financial services department of China’s largest bank on November 8 caused disruptions for the U.S. Treasury market and highlighted the increasingly disruptive nature of cyberattacks.

According to Chinese banking officials, the attack prevented the bank from executing some Treasury trading through hedge funds and asset managers but the disruption was temporary. Chinese banking officials were able to isolate the malware causing the problem and re-route transactions through an alternative source to restore the functioning of the markets.

Experts believe the hack was done by the group known as LockBit. The hacker group is believed to reside in Russia or Eastern Europe. The group was also responsible for ransomware attacks on the City of London and the Royal Mail in the UK earlier this year.

LockBit rents its malware to other hackers and experts have not determined if the attack against the Industrial and Commercial Bank of China (ICBC) was from the hacker group itself or if another group was responsible. LockBit has yet to acknowledge responsibility for the attack.

Ransomware attacks work by freezing computer systems. Hackers require a payment, typically in bitcoin which is difficult to trace, before releasing the system. Ransomware attacks directed at banking and financial institutions are the latest example of how cybercriminals are operating.

The attack initially prevented ICBC from settling accounts on Tuesday and Wednesday, but full operation has since been restored. ICBC says it is conducting a thorough investigation into the attack to determine how the malware was loaded into the system and is also working with law enforcement to identify the culprit behind the attack.

The U.S. Department of Justice arrested a Chechen national in June who is accused of executing numerous ransomware attacks using the LockBit 3.0 software. The individual is accused of attacking computer systems in the U.S., Africa, Europe, and Asia. He is the second individual arrested in connection with LockBit in the U.S.

LockBit 3.0 is considered to be the most popular ransomware program in the world and is responsible for around 30% of cyberattacks. The program is typically loaded into a computer system after an employee opens an email. Once the ransomware is in effect, it can be very difficult to get systems running again without an alternative routing of data, as was used by ICBC on Tuesday. The attack against ICBC marks the largest financial institution attacked by LockBit yet.