Analyzing the ICBC Cyberattack – New Chapters in Ransomware

analyzing icbc attack, ransomware in 2023

The world’s largest lender by assets, the Industrial and Commercial Bank of China, received a ransomware attack that disrupted trading within the $26 Billion treasury market. During the attack, ICBC could not access its systems, forcing the bank to inject capital into its U.S. division to settle trades and repay clients’ and partners’ debts.

In response to the compromise of ICBC’s systems, reports were coming out that staff members of varying branches were forced to conduct trades via USBs while forcing clients to reroute deals via other banks and partnerships. Furthermore, the immediate effects of the financial blackout caused ICBC’s corporate email to cease working, forcing employees to rely on Gmail. The world’s largest brokerage was also left owing the American bank, BNY Mellon, a balance of $9 billion—an amount greater than the net capital of the bank’s U.S. arm.

Weeks after the attack, Treasury trades were carried out through other firms who asked not to be identified regarding confidential matters of this sensitive issue. Adjacent to the damages and the disruption of financial infrastructures internationally is a significant increase in scrutiny towards continuing trade amongst US-based financial institutions, including banks and securities firms. This placed U.S. officials in the unfamiliar position of communicating through a fast-moving situation involving a foreign business and the cybersecurity of a key market participant.

Bad Actors Empowered by the Ransomware Economy

From the dark web to Wall Street, the attack that obstructed trade and darkened perceptions amongst capital investors was executed by one of the most prolific attackers of ransomware, known as LockBit. In the months leading to the event, this group was responsible for stealing and leaking sensitive data from companies that refused to pay their demanded amount. In the ICBC case, the hacker group reports that the ransom was paid within days of experiencing disruptions. The justification for giving in to the demands was the ICBC’s need to restore confidence in their partners, as this attack would warrant further questioning from regulatory bodies from international governments.

ThriveDX Cybersecurity Instructor Nassar Fattah explains, “Wherever there is an exploitable vulnerability to make money, cybercriminals are on the prowl, indifferent to company industry or size. Ransomware is disruptive by design, depending on network configuration and boundaries.”

What happened at ICBC came after a series of attacks by LockBit alone in 2023. Earlier in the year, the Russian-based ransomware group halted international mail shipments from the UK’s Royal Mail, paralyzed global derivatives trading amongst a British fintech firm and slowed Boeing’s parts and distribution business. The hacking group, which claims to be based in the Netherlands and is entirely apolitical, operates through a network of affiliates—each of which could go rogue and target organizations across critical infrastructures such as healthcare providers where damage to files can cause significant personal harm and potential death. Such was the case in January 2023, when SickKids, a Canadian children’s hospital had their data stolen and taken hostage by a LockBit affiliate. LockBit intervened by providing free decryption tools, undoing the attack while posting a public apology with the announcement that the affiliate is no longer one of them.

LockBit’s process for gaining access varies across different methods, including purchasing compromised credentials from internet affiliates, phishing emails with malicious links and attachments, exploiting vulnerabilities in VPNs, and the old-school practice of using brute-force hacking methods to find weak system passwords. Once inside, the ransomware executes through command-line actions and other hacking scripts to disable security products and evade defenses. The newest version of LockBit’s tools can now execute data recovery exceptions and leverage Windows’ built-in tools. The logic for these attacks is to disrupt systems, restrict access, and extort their victims.

On June 14, 2023, the United States Cybersecurity & Infrastructure Security Agency issued an advisory about LockBit and the significance of their ransomware methods. Calling upon the agencies of six other nations to cooperate in proactively improving their protections against ransomware operations.

Timeline of Lockbit RaaS attacks

ThriveDX Cybersecurity Instructor, Mikini Williams explains, “Amidst the ICBC Cyberattack and the rising trend of ransomware payments, it is evident that banks and big companies are facing a critical dilemma. The impact on the industry cannot be underestimated, as it compromises the security and trust of customers but also perpetuates a cycle of cyber threats. It is high time for the industry to unite, invest in robust cybersecurity measures, and collaborate to find innovative solutions that can effectively combat these attacks, safeguarding the integrity of our financial systems.”

According to the FBI, there have been 1,700 attacks by LockBit in the United States since 2020. From April 2022 to March 2023, LockBit made up 18% of all reported ransomware incidents within the United States. In 2022, LockBit was responsible for 22% of ransomware cases in Canada. Since LockBit activity was first observed in January 2020, a total of $91 million has been paid by U.S. Businesses.

Outlook and Cybersecurity in Foreign Markets

According to Google Cloud’s Cybersecurity Forecast for 2024, ransomware actors are expected to have their methods empowered by generative AI, zero-day exploitation, and an increase in the quality and credibility of phishing methods. These methods are also expected to be employed by Nation-State actors, especially in disputed territories involving world powers such as China and Russia.

“While paying the ransom may seem like a quick solution to keep operations running, it sets a dangerous precedent that only fuels the growth of cybercriminals.”

According to the forecast, extortion operations “remain likely the most impactful form of cybercrime to enterprises and societies worldwide. Despite a stagnation in growth during 2022, advertisements for stolen data and extortion revenue estimates indicate that this threat is growing in 2023, this growth will continue in 2024 without a significant, market-wide disruption.” 

How ransomware attacks begin, infographic

Combined with generative AI and large language models, phishing methods used via email, SMS, and communication methods will be easier to create, localize, correct, customize, and send out to unsuspecting recipients. Fortunately, Google is also predicting more software capable of leveling Gen AI and LLMs this year so that phishing attempts can be flagged more easily. This is especially vital, seeing how ChatGPT has helped spark a 1265% rise in phishing emails.

“Such measures as network segmentation, security awareness, current incident response plan, clean backups, and a tested business continuity & disaster recovery combat ransomware.”

CISA recommends a series of mitigations and measures best to protect businesses from the looming threat of ransomware attacks. For the initial stages, it’s best to follow the least privilege best practices and implement time-based access for accounts set at the admin level or higher. It also benefits employee phishing training and creates multi-factor authentication on every platform capable of detecting phishing attempts from the beginning. During the later processes, it’s important to enable PowerShell logging and configure your Windows registry to require admin privileges to make changes. Upon detecting and identifying a phishing attempt, it’s important to have software that can log these instances and further investigate the causes and actors. Finally, VPNs should not be considered trusted networks, organizations should move towards zero-trust architectures.

For more information about previous costly cyberattacks from earlier in 2023, you can read our analysis of the MGM Cyberattack and  The Clorox Company.

Download Syllabus

Let’s Talk

Download Syllabus

Apprenticeship Program

Apprenticeship Program

Let’s Talk

Get Your Free Trial

Access our Free OWASP Top 10 for Web

Enter your information below to join our referral program and gain FREE access for 14 days

Follow the steps below to get FREE access to our OWASP top 10 for Web course for 14 days

  1. Simply copy the LinkedIn message below
  2. Post the message on your LinkedIn profile
  3. We will contact you as soon as possible on LinkedIn and send you an invite to access our OWASP Top 10 for Web course


Make sure you confirm the tag @ThriveDX Enterprise after pasting the text below in your LinkedIn to avoid delays in getting access to the course.
tagging ThriveDX Enterprise on LinkedIn

Ready to Share?

Take me to now >

Contact ThriveDX Partnerships

[forminator_form id=”10629″]
Skip to content