Hunters International Hits ICBC and Exfiltrates 6.6TB of Sensitive Data

Date:

September 16, 2024

World map

The London branch of the Industrial and Commercial Bank of China (ICBC) recently became the target of a ransomware attack, leading to the compromise of sensitive data. The bank had been given until September 13 to meet the ransom demands. If ICBC failed to comply, the stolen information is at risk of being made publicly available.

The cyberattack was orchestrated by a group known as Hunters International, who claim to have stolen 5.2 million files, totaling 6.6 terabytes of sensitive data, The Register reports.

ICBC, the world’s largest bank by total assets and market capitalization, is a state-owned financial giant in China, offering a wide range of services including corporate banking, personal banking, wealth management, and investment banking.  

With a vast international footprint, the bank plays a crucial role in financing major infrastructure projects both within China and across the globe. ICBC has not issued any official statements concerning the attack and has not responded to requests for comment.

While Hunters International is a relatively new name in the ransomware world, cybersecurity experts speculate that it could be a rebranded version of Hive, a notorious ransomware group taken down by the FBI in July 2022.

In November 2023, a ransomware attack ICBC reportedly disrupted the US Treasury market.  

“The Securities Industry and Financial Markets Association told members on Thursday that ICBC, China’s largest bank, had been hit by ransomware software, which paralyses computer systems unless a payment is made, according to several people familiar with the discussions. The attack prevented ICBC from settling Treasury trades on behalf of other market participants, according to traders and banks.” FT reported.  

Takeaway: Ransomware attacks targeting entities like the Industrial and Commercial Bank of China (ICBC) have the potential to send shockwaves through global financial markets. US Treasuries and other key investment instruments, central to the global banking system, could be directly or indirectly affected by such attacks, amplifying the potential risks.

Critical infrastructure sectors, including finance, healthcare, manufacturing, and energy, are frequent targets for ransomware groups. The reason is clear: the immense pressure on these sectors to restore operations quickly makes them more likely to pay ransom demands in order to avoid prolonged disruptions.  

What was once viewed as a nuisance with minimal business impact has now evolved into a significant threat, especially for organizations critical to global infrastructure. Ransomware has transformed into a multi-billion-dollar criminal enterprise, with demands soaring into the tens of millions.  

This rise reflects the growing sophistication and ambition of ransomware attackers, many of whom now operate through ransomware-as-a-service (RaaS) platforms. These platforms provide automated tools and custom-built software that exploit system vulnerabilities, enabling faster data exfiltration and lowering the technical barriers for launching attacks.  

RaaS platforms significantly reduce the technical barriers to carrying out ransomware attacks, which means there are exponentially more attacks to contend with, and the potential for disruption has become nearly limitless.

Adding to the complexity, ransomware groups have expanded their attack surface by developing variants specifically designed to target Linux systems. This is especially alarming because Linux powers approximately 80% of the world’s web servers, most smartphones, supercomputers, and a vast array of embedded and IoT devices used in manufacturing.  

Additionally, Linux is the preferred platform for large-scale network applications, data centers, and many critical operations within the U.S. government, military networks, financial systems, and the internet itself.

The "always-on" nature of Linux systems makes them particularly appealing to attackers, who can use them as strategic beachheads from which to move laterally through networks and they are ideal for exfiltrating large amounts of data.

In enterprise environments, Linux servers are increasingly targeted because they store and process sensitive, high-value data. The financial and operational fallout from a successful attack on these servers is often far greater than attacks on other systems, making them prime targets for threat actors.

Despite Linux’s critical role, its security is often given less attention compared to Windows environments. While Windows systems benefit from a more mature ecosystem of anti-ransomware protections, Linux environments tend to lag behind.  

When ransomware does strike Linux, attackers frequently exploit vulnerabilities unique to the platform, such as weak SSH configurations, exposed ports, and outdated software. These weaknesses allow cybercriminals to move laterally within a network, exfiltrate data, or encrypt files off-system, all while remaining undetected.

The risks are further heightened in cloud and virtualized environments, where Linux-based virtual machines are widely deployed. When ransomware compromises these resources, it doesn’t just impact a single system—it disrupts both the physical and virtual infrastructure that organizations depend on.  

The results can be devastating, including halted services, encrypted data, lost productivity, and severe financial damage. The consequences of such an attack can ripple through an organization, leading to long-term operational and financial losses.

For organizations like ICBC, the potential for global economic disruption is even greater. Given the critical nature of these systems, infrastructure providers must be prepared to respond swiftly and decisively to minimize operational disruptions.  

A robust prevention capability is important, but the ability to recover quickly and effectively will be the key to mitigating the damage caused by ransomware and preserving the stability of critical sectors.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.