Evolve Hit

12672484674?profile=RESIZE_400xOn 26 June, Evolve Bank and Trust, a financial institution that’s popular with fintech startups, announced that it had been victim of a cyberattack and data breach that could have affected its partner companies as well.  The incident, according to the company’s statement, involved “the data and personal information of some Evolve retail bank customers and financial technology partners’ customers.”

Evolve’s communications chief Thomas Holmes said that the incident involves “a known cybercriminal organization.  It appears these bad actors have released illegally obtained data, on the dark web,” said Holmes, declining to comment further.  The cybercriminals responsible for the breach appear to be the notorious ransomware gang LockBit, which posted data allegedly stolen from Evolve on its dark web leak site.

Evolve lists a series of companies on its site as partners that rely on the banking giant to offer some of their financial and lending services.  To understand the impact of the Evolve breach on these companies, TechCrunch reached out to Affirm, Airwallex, Alloy, Bond, Branch, Dave, EarnIn, Marqeta, Mastercard, Melio, Mercury, Prizepool, Step, Stripe, Tabapay, and Visa.  None of the companies, except for Affirm, EarnIn, and Melio responded to the request for comment.[1]

Recently disrupted LockBit ransomware group, in a desperate attempt to make a comeback, claimed this week that it had hit the US Federal Reserve, the central bank of the United States.  The tall claim was followed up with LockBit stating it had stolen 33 terabytes of sensitive banking information belonging to Americans and that negotiations were ongoing.  Except, the rumor has been quashed.  Turns out, the threat actor hit an individual bank, and not the Fed.

Bold claims - On Sunday 23 June, the LockBit ransomware gang announced that it had breached the Federal Reserve (aka The Fed), the most powerful economic institution in the United States.  "33 terabytes of juicy banking information containing Americans' banking secrets," claimed LockBit on its leak site, alluding to the group having breached the Fed's systems and stolen sensitive data.

The ransomware operator further suggested that negotiations were ongoing and that a "clinical idiot" offered them $50,000 to not leak the data.[2] "You better hire another negotiator within 48 hours, and fire this clinical idiot who values Americans' bank secrecy at $50,000."

12672484288?profile=RESIZE_400xLockBit claims it attacked the Fed, leaks data (Hackmanac)

Eventually, the group began publishing the stolen data on its site.  Some media outlets reported on the allegation without obtaining a statement from the Federal Reserve or verifying if the organization was even attacked as LockBit claims.

It turns out that it's not the Fed but an individual US financial institution that the threat actors have targeted in this attack.  "They have apparently breached the American bank Evolve Bank & Trust," cyber threat monitoring company, HackManac posted in an update on social media.  For now, there is still no trace of 'secret' files, but the analysis is ongoing." 

Media reached to Evolve Bank & Trust with questions related to the attack and the financial institution has confirmed that threat actors have "illegally" obtained data from its systems.  "Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization. It appears these bad actors have released illegally obtained data, on the dark web," an Evolve Spokesperson said.  "We take this matter extremely seriously and are working tirelessly to address the situation.  Evolve has engaged the appropriate law enforcement authorities to aid in our investigation and response efforts.  This incident has been contained, and there is no ongoing threat.  In response to this event, we will offer all impacted customers (end users) complimentary credit monitoring with identity theft protection services. Those affected will be contacted directly with instructions on how to enroll in these protective measures.  Additionally, impacted customers will receive new account numbers if warranted.  Updates and further information will be posted on our website as they become available."

Journalists asked Evolve if it knew exactly when the threat actors had stolen this data, and how the bank's systems were breached.  "No further comments will be made during investigation," Evolve further responded to BleepingComputer.

Of note: the US Federal Reserve recently had penalized Evolve Bank & Trust over multiple "deficiencies" identified in how the bank conducted risk management, anti-money laundering (AML), and compliance practices.  Examinations conducted in 2023 found that the bank had "engaged in unsafe and unsound banking practices by failing to have in place an effective risk management framework for those partnerships."  As a result, the Fed demanded that Evolve halt some of its activities until the bank improves its risk management policies and complies with AML laws and regulations.

"A desperate bid for relevance" - Reacting to the ransomware operator's baseless claims, X account AzAl Security said this as LockBit's "desperate bid for relevance."

Previously notorious for executing ransomware attacks on high-profile targets like Boeing, the Continental automotive giant, the Italian Internal Revenue ServiceBank of America, the UK Royal Mail, and most recently London Drugs, the cybercrime group found itself in hot waters this year.

In February, law enforcement took down LockBit's infrastructure in an action known as Operation Cronos and seized 34 servers containing over 2,500 decryption keys that helped create a free LockBit 3.0 Black Ransomware decryptor.  Having thrived through its peak, LockBit seems to have entered tough times, compelling it to resort to making misleading claims to stay relevant.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Our services can help detect cyber threats and vulnerabilities.     For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5378972949933166424

[1] https://techcrunch.com/2024/06/27/startups-scramble-to-assess-fallout-from-evolve-bank-data-breach/

[2] https://www.bleepingcomputer.com/news/security/lockbit-lied-stolen-data-is-from-a-bank-not-us-federal-reserve/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!