LockBit Attack Targets Evolve Bank, Not Federal Reserve

Evolve Bank, a financial institution headquartered in Arkansas, was the victim of an attack by the LockBit ransomware group which resulted in a data leak onto the Dark Web this week.

LockBit had drawn attention to itself earlier this week after claiming to have hacked the US Federal Reserve.

The announcement was seen by some within the IT security community as a bold — some used the word "desperate"­ — comeback attempt following the recent, high-profile law enforcement takedown of the ransomware giant. 

After publishing a post on its data leak site threatening to release "33 terabytes of juicy banking information containing Americans' banking secrets" if a ransom was not paid, LockBit then released some of the data, which was actually stolen from Evolve.

"It appears these bad actors have released illegally obtained data, including personal identification information (PII), on the Dark Web," according to an Evolve statement. "The data varies by individual, but may include your name, Social Security number, date of birth, account information and/or other personal information."

The statement noted the company had contacted law enforcement authorities as part of the bank's investigation and response efforts.

"Based on what our investigation has found and what we know at this time, we are confident this incident has been contained and there is no ongoing threat," the statement said.

The company added that retail banking customers’ debit cards, online, and digital banking credentials did not seem to be affected by the breach.

"Those credentials appear to be secure," a statement said.

Evolve Already Target of Fed Action

Earlier this month, the Federal Reserve Board issued an enforcement action against Evolve Bancorp and Evolve Bank & Trust, accusing the company of deficiencies in their anti-money laundering, risk management, and consumer compliance programs.

"Examinations conducted in 2023 found Evolve did not maintain an effective risk-management program or controls sufficient to comply with anti-money laundering laws and laws protecting consumers," the Fed statement read.

Stephen Gates, principal security SME for Horizon3.ai, said in an emailed statement that once an organization experiences a breach, and the smoke begins to clear, the biggest decision is what to do next.

"Everything in the networking environment is now suspect, possibly riddled with other exploitable vulnerabilities and weaknesses that likely remain hidden," he said.

That means that teams must find the attack path that allowed the breach to happen, and they need to uncover other attack paths that could enable it to happen again.

"Now is the time to thoroughly assess the entire networking environment, both on-premises and cloud, but that could take months if not longer," Gates said.

Financial Sector Defenses Must Evolve

Piyush Pandey, CEO at Pathlock, says the recent enforcement action against Evolve Bancorp underscores the critical importance of robust sensitive data and application access controls within financial institutions.

"As traditional banking continues to intersect with innovative fintech solutions, maintaining stringent identity and access controls is a must," he says.

He also points out that the interconnectedness and complexity of supply chains in the financial sector increases the difficulty of managing and securing third-party access.

"Given how highly regulated the financial sector is with regards to data protection and privacy, ensuring that third-party vendors comply with these regulations is crucial, yet challenging," Pandey explains.

He adds that by focusing on rigorous controls testing and enforcement, including stringent management of third-party identities and access, financial institutions can significantly strengthen their security posture, protect sensitive data, and ensure compliance with regulatory requirements.

"This proactive approach not only safeguards customer data — and trust — but also enhances the institution's overall resilience against these types of attacks," Pandey says.

Narayana Pappu, CEO at Zendata, notes that financial and medical institutions store significant amount highly sensitive data with significant monetary impact for exposed organizations.

"Therefore, it makes sense that organizations like LockBit are going after this information," he says.

From his perspective, data minimization — not capturing or storing data that is not needed — would help these institutions significantly.

"The trend to date has been to capture, store and make multiple copies of information that is not really needed to run the business," Pappu says. "Just 5% of data collected is properly labeled and governed, for example."