A major cyberattack has reportedly struck the U.S. Federal Reserve, with a ransomware group allegedly using LockBit 3.0 and claiming the theft of 33 terabytes of confidential data.
The announcement was made on June 23, 2024, at 20:27 UTC through a post on the Dark Web leak site associated with the ransomware actors, with the attackers threatening to expose the data unless their ransom demands are met. Cybersecurity researchers Dominic Alvieri and Pietro Melillo have been sharing more details about the incident.
LockBit posts the US Federal Reserve?
Someone is mad. @federalreserve pic.twitter.com/oqXwTVKHJe
— Dominic Alvieri (@AlvieriD) June 23, 2024
Behind Lockbit 3.0 is supposedly a mostly different group of hackers, as the ones being previous LockBit attacks were reportedly dismantled earlier this year in a collaborative effort spearheaded by the UK’s National Crime Agency and the US Federal Bureau of Investigation (FBI) alongside partners from ten countries. Dmitry Yuryevich Khoroshev, a Russian national also known by the alias ‘LockBitSupp,’ was identified as the administrator behind LockBit.
Alleged Federal Reserve Cyberattack
The Lockbit group has demanded the Federal Reserve replace its current negotiator, citing dissatisfaction with the valuation of the stolen data at $50,000. The group has imposed a 48-hour deadline for compliance, warning of data leaks if their conditions are not satisfied.
The stolen information reportedly includes sensitive banking details of U.S. citizens. If confirmed, this attack could be one of the most serious in financial history, endangering personal privacy and national security, writes Pietro Melillo on his blog.
The Federal Reserve is essential to the U.S. financial system, managing monetary policy, regulating banks, and ensuring financial stability. With its twelve regional banks across major cities such as New York, Chicago, and San Francisco, a breach of this magnitude exposes vulnerabilities in critical infrastructure.
So far, the Federal Reserve has neither confirmed the suspected breach nor disclosed its strategy to address the threat. However, it is anticipated that federal agencies, including CISA and the FBI, are deeply involved in ongoing efforts. Steps to reassure the public and maintain trust in the financial system are expected.
Earlier in June, the FBI reported obtaining over 7,000 decryption keys from Lockbit, aiding victims in recovering their encrypted data. Bryan Vorndran, Assistant Director of the FBI Cyber Division, has encouraged affected entities to use these keys to reclaim their data.
Parallel Attack on Indonesia´s National Data Center
The Indonesian government confirmed today that a cyberattack employing Lockbit 3.0 caused significant data disruptions at two temporary National Data Center facilities last week. This incident led to severe immigration processing delays at airports and interruptions to other public services. The attackers have demanded a ransom of $8 million. Budi Arie Setiadi, the Minister of Communication and Informatics, has stated that the government will neither pay the ransom nor comply with the attackers’ demands.
Over the weekend, several services were reinstated, including those provided by the Directorate General of Immigration. These services encompass visa and residence permit services, immigration checkpoint services (TPI), passport services, Visa on Arrival (VoA) services, Visa on Boarding (VoB), and immigration document management services.
LockBit 3.0 Ransomware Details
The US Cybersecurity and Infrastructure Security Agency (CISA) outlined in March 2023 how LockBit 3.0 ransomware operates under a Ransomware-as-a-Service (RaaS) model, continuing the lineage of its predecessors, LockBit 2.0 and the original LockBit.
Since January 2020, LockBit has operated as an affiliate-based ransomware, with affiliates employing a variety of tactics, techniques, and procedures (TTPs) to target a broad spectrum of businesses and critical infrastructure entities, posing significant challenges to effective computer network defense and mitigation efforts.
LockBit 3.0, also known as “LockBit Black,” is a more modular and evasive version of the ransomware compared to its previous iterations. It shares similarities with Blackmatter and Blackcat ransomware. When the LockBit 3.0 ransomware is executed within a victim’s environment, various arguments can be supplied to modify its behavior. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise).
If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution. Affiliates failing to enter the correct password will be unable to execute the ransomware.
The password is a cryptographic key that decodes the LockBit 3.0 executable. By protecting the code in this manner, LockBit 3.0 hinders malware detection and analysis because the code is unexecutable and unreadable in its encrypted form.
Signature-based detections may fail to detect the LockBit 3.0 executable as the encrypted portion of the executable will vary based on the cryptographic key used for encryption. When provided with the correct password, LockBit 3.0 will decrypt the main component, continue to decrypt or decompress its code, and execute the ransomware.
Ransomware Payment Rate Hits Record Low in 2024
The first quarter of 2024 has witnessed a significant shift in the ransomware payment landscape, with only 28% of affected companies choosing to meet the extortion demands of cybercriminals, marking a record low. This represents a slight decrease from the 29% recorded in the final quarter of 2023.
Despite the decrease in payment rates, the financial stakes have never been higher. A recent report by Chainalysis highlights that the total amount paid to ransomware actors reached a staggering $1.1 billion last year. This paradoxical increase is due to ransomware gangs intensifying their attacks, targeting a broader range of organizations, and demanding higher ransoms for the decryption keys and the non-disclosure of stolen data.
Last Updated on November 7, 2024 3:48 pm CET
