Evolve data breach dispels LockBit's Federal Reserve ransom leak

Evolve Bank & Trust admits to a data breach after sensitive information was leaked online by the notorious LockBit criminal group – putting a wrench in the gang’s earlier claims that the data was stolen from the US Federal Reserve.

The commercial bank and mortgage lender first disclosed the “cybersecurty incident” on its website Wednesday.

“Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users),” the bank stated.

Evolve also informed its customers that the “illegally obtained data” may include personally identifiable information (PII) such as name, Social Security Number, date of birth, account information, and/or other personal information.

Evolve Bank & Trust
Evolve Bank & Trust breach notice

The independent consumer Banking-as-a-Service and mortgage lender serves individuals and small businesses in at least 17 states across the nation and is known for its open banking partnerships with fintech platforms such as Mastercard, Visa, Affirm, Melio, Stripe, and Airwallex.

After bringing in outside cybersecurity experts to investigate, Evolve stated that its “retail banking customers’ debit cards, online, and digital banking credentials do not appear to be impacted by the incident.”

LockBit bluff or blunder?

Evolve inadvertently became the center of attention on Wednesday after the Russian-affiliated LockBit ransomware group published over 2.4 terabytes of information and 21 data links on its dark blog, all files clearly labeled with the bank’s name.

Despite the attribution, the gang, instead, seemingly tried to pass off the data as stolen from the US government’s central bank, the Federal Reserve, which it had posted as its latest victim on its dark leak blog over the weekend.

“As it turns out, it was in fact Evolve Bank & Trust who was the victim of LockBit, and not the Federal Reserve. This was verified once the information was posted and the data was analyzed,” Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ.

LockBit had claimed to have exfiltrated 33 terabytes of information from the Federal Reserve, and as of Thursday, Evolve Bank & Trust has not been listed on the LockBit victim’s blog.

LockBit Federal Reserve published 3
LockBit leak site. Image by Cybernews.

What's next for LockBit?

Social media lit up with doubts about LockBit’s claim, and now that Evolve has admitted to a systems breach, it's clear the gang was either bluffing for notoriety or didn’t realize they had posted the wrong data until it was too late.

Furthermore, earlier this month the Federal Reserve had filed an enforcement action against the fast-growing Memphis, Tennessee-based bank for unsafe and unsound banking practices.

The Fed’s press release about the Evolve bank charges was included in the LockBit’s purported leak cache, adding to the confusion.

"Evolve Bank & Trust is investigating a cybersecurity event," the company posted on its X profile along with a link to its website alert on Wednesday.

Whether the gang “deliberately lied/bluffed about attacking the Federal Reserve, or if that was a mistake on their side,” Costis said it was “concerning” that a bank had fallen victim to LockBit this time around.

As for the 33 TB of data the gang claimed to have successfully exfiltrated from the bank, Costis added that it “remains uncertain whether there is more to come from LockBit.”

In light of the attack, Costis says that financial organizations should “prioritize proactive defense, with a strong focus on threat detection and response.”

“By utilizing LockBit’s common tactics, techniques, and procedures (TTPs), organizations can test their systems response to identify and address any vulnerabilities before they can be exploited,” he said.

According to the Cybernews ransomware monitoring tool, Ransomlooker, LockBit was responsible for nearly 50% of all publicly acknowledged victims since 2022, and carried out an estimated 1400 known attacks in the past year.

Having received millions in Bitcoin ransom payouts from its victims, LockBit shows no sign of slowing down, even after having its infrastructure raided by US and International law enforcement this February.

The ransomware cartel is responsible for major company attacks such as The Boeing Company, Allen & Overy, as well as the mass 2023 exploit of the Citrix Bleed zero-day vulnerability.