LockBit holds its word, publishes US Federal Reserve alleged data


On Tuesday, the LockBit ransomware gang published a massive cache of files allegedly stolen from the US Federal Reserve central banking system after an apparent negotiation breakdown.

The Russian-affiliated gang posted 21 separate links, containing files of what appears to be parent directories, torrents, and compressed archive files belonging to another US financial institution, Evolve Bank and Trust.

The bank and its parent company, Evolve Bancorp Inc., were singled out recently by the Feds for engaging in unsafe and unsound banking practices.

LockBit had named the Federal Reserve on its dark victim blog over the weekend, threatening to publish the purported stolen data on June 25th if a ransom demand was not paid by the deadline.

LockBit Federal Reserve published 1
LockBit leak site. Image by Cybernews.

Claiming to have lifted “33 terabytes of juicy banking information containing Americans' banking secrets,” the group also insinuated that negotiations had broken down over an unacceptable ransom offer by the US central bank.

“You better hire another negotiator within 48 hours, and fire this clinical idiot who values Americans' bank secrecy at $50,000,” LockBit posted on its dark blog.

Cybernews reached out to the US Federal Reserve Board of Governors on Monday about LockBit’s claims, but the spokesperson did not comment. We reached out to the spokesperson again on Tuesday.

LockBit Federal Reserve published 2
LockBit leak site. Image by Cybernews.

Meantime, Evolve Bank and Trust had been served a cease-and-desist order by the Federal Reserve Board this month, citing multiple “deficiencies” in the bank's anti-money laundering, risk management, and consumer compliance programs.

Headquartered in Memphis, Tennessee, the independent consumer Banking-as-a-Service and mortgage lender serves individuals and small businesses in at least 17 states across the nation, listing assets of $1.3 billion in 2022, according to its website.

Evolve is also known for its open banking partnerships with Fintech platforms such as Mastercard, Visa, Affirm, Melio, Stripe, and Airwallex.

LockBit was kind enough to attach a Federal Reserve June 14th press release about the Evolve enforcement action as part of the 'stolen' collection.

Josh Jacobson, Director of Professional Services at HackerOne says the threats made by LockBit speak to the fact that “even our most integral governmental entities are not infallible to ransomware attacks.”

“If the Federal Reserve is impacted, that could have global implications. This is not a siloed infrastructure where a finite number of customers are impacted. The potential for residual impact definitely factors in, as well as long-term reputation and trust,” he said.

The Cybernews team, which has not had time to verify the stolen data, will continue to provide updates on this developing story.

Is LockBit bluffing?

The group’s claim was dismissed by many security insiders on Monday, considered instead to be more likely a bluff directed at US law enforcement for its methodical and at times successful targeting of the gang over the past six months.

Jacobson noted that LockBit’s threats often lean toward “impact and urgency,” heightening a victim’s “fight or flight mentality.” Its a common tactic that tends to work in the favor of ransomware groups, Jacobson said.

A victim thinks “Goodness, this is bad, and I have to do something now, and I am under a lot of pressure” he explained, adding that “the uncertainty further exacerbates the event.”

LockBit Federal Reserve published 3
LockBit leak site. Image by Cybernews.

“At this stage we sense that LockBit's announcement might be a hoax,” agreed Aviral Verma, Lead Security Analyst at the cybersecurity firm Securin.

Verma pointed out that until Tuesday, the group had not published any samples of stolen data – against their usual modus operandi.

“This won't be the first time the group has made false claims, the group had even claimed the FBI as one of its victims out of frustration,” Verma said, referring to February’s temporary takedown of the group, dubbed Operation Cronos.

“There's suspicion that the Federal Reserve claim might just be attention seeking, or even a ploy to regain notoriety among potential affiliates,” Verma said.

LockBit behind 48% attacks in 2023

The cybercriminal gang has been successfully evading law enforcement since its inception in late 2019.

Operating as a Ransomware-as-a-Service (RaaS) model, the LockBit cartel is said to have executed over 1,400 attacks against victims in the US and around the world, including Asia, Europe, and Africa.

Still, the gang suffered a major setback this spring when the international Operation Cronos, led by the FBI and Interpol, infiltrated the gang’s network infrastructure, taunting the gang with a seizure notice splashed across the LockBit leak site’s home page.

Yet even after the FBI publicly outed its Russian ringleader LockbitSupp, with his picture and other personal information, including the car he drives, LockBit was business as usual, creating a new leak site and targeting multiple US hospitals within days.

LockBit takedown
Image by Reuters.

The threat actors notorious ransomware variant LockBit 3.0 – also known as LockBit Black – is now in its third iteration and is considered the most evasive version of all previous strains, a US Department of Justice report said.

Major attacks over the past 12 months include The Boeing Company, Allen & Overy, and the mass 2023 exploit of the Citrix bug zero-day vulnerability. More recently the group boasted of attacks on Deutsche Telekom and Cannes Hospital in France.

According to the Cybernews ransomware monitoring tool, Ransomlooker, LockBit was responsible for nearly 50% of all publicly acknowledged victims since 2022, receiving millions in Bitcoin ransom payouts.

Earlier this month, the FBI revealed it had recovered 7,000 decryption keys, expected to help victims recover their stolen data.