Evolve Bank has disclosed a ransomware attack from infamous ransomware gang, LockBit, where the bad actors stole customer information and began encrypting company data. The data stolen included names, social security numbers, bank account numbers, contact information, and employee information.
LockBit is a cybercriminal group proposing ransomware as a service (RaaS). This enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim’s data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.
The breach happened on February 9 but was not discovered until May 29. Initially Evolve Bank thought it was a hardware issue but soon discovered it was malicious activity caused by an employee accidentally clicking on a malicious link.
In response to this incident, Evolve Bank has stated they will further strengthen their security response protocols, policies and procedures, and their ability to detect and respond to suspected incidents.
Weighing up the implications of this major cybersecurity incident impacting on the finance sector is Tim Eades, co-founder and CEO at Anetac.
Eades explains to Digital Journal why this incident is significant not only for customers but for the financial industry overall.
Eades puts the cyber-incident into context: “Despite recent crackdowns, the surge of ransomware attacks continues unabated in 2024. Oftentimes, these threat actors will “live within an organization’s environment to prep and successfully exfiltrate and encrypt sensitive data.”
Moving on to the most recent case – with Evolve Bank – Eades explains what has taken place: “In the recent Evolve Bank attack, it took around 45 days before the encryption event happened. During this time, threat actors reset the password of a service account, escalated privileges for that domain administrator, created multiple local admin accounts, disabled and implemented tools, and committed other acts of mayhem leading to the main, catastrophic event.”
It is always important to learn from these types of incidents and to built firmer foundations for the future. Eades recommends: “Organizations need a modern identity vulnerability and security solution that monitors all access points in real-time, including service accounts, APIs, tokens, access keys, and user accounts.”
Eades further advises: “Then, understanding the chains of access throughout these complex systems can help ensure that the least privileges are enforced. Add ongoing identity behavior analysis to detect and alert unusual activity so organizations can better defend against the evolving ransomware threat and protect their critical data from future attacks.”