Chinese lending giant ICBC's US subsidiary suffered a LockBit ransomware attack

The Industrial and Commercial Bank of China Financial Services suffered a significant ransomware attack that disrupted several services and forced it to take financial services systems offline to mitigate the damage.

A subsidiary of China’s state-owned commercial bank and the country’s largest lender ICBC, the Industrial and Commercial Bank of China Financial Services (ICBS) operates in the US with its headquarter in New York.

The financial services company announced that on November 8, it suffered a ransomware attack that “resulted in disruption to certain FS systems.” Immediately after identifying the cyber security incident, the company took its financial services systems offline to contain the incident.

 

The company has launched an internal investigation to understand the scope of the ransomware attack and is in the process of recovering corporate systems that were affected by the ransomware attack.

“ISBC FS has also reported this incident to law enforcement. We successfully cleared US Treasury trades executed Wednesday (11/08) and Repo financing trades done on Thursday (11/09),” the company said in a statement.

The financial services organisation added that “ICBC FS’s business and email systems operate independently of the Industrial and Commercial Bank of China group. The systems of the ICBC Head Office and other domestic and overseas affiliated institutions were not affected by this incident, nor was the ICBC New York branch.”

Wang Wenbin, a spokesperson for China’s Ministry of Foreign Affairs, said businesses remained normal at ICBC head office and other branches and subsidiaries across the globe. “ICBC has been closely monitoring the matter and has done its best in emergency response and supervisory communication,” he said.

According to malware research firm vx-underground, the notorious LockBit ransomware group has claimed responsibility for the ransomware attack on ICBC and listed the financial organisation as a victim on its data leak site. While details of whether any data was exfiltrated from the company are scarce, vx-underground later stated that ICBC FS has paid the ransom demanded by the group. The authenticity of the claim is yet to be verified.

 

Commenting on the news, Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, said, “Incidents like this, where there’s "real" money involved, often don’t work out long-term for the ransomware gang involved. The authorities not only get involved, but there’s big pressure for people to be arrested and the gang shutdown. I’m surprised the ransomware gang went ahead with the exploitation. Perhaps they didn’t realize what they had and what they would be interrupting.

“The Chinese certainly have their own great hackers they can use as an offensive resource and the US authorities are pretty good at identifying culprits and dishing out pain when the money involved is enough. This is one of those cases.”