Evolve Bank Acknowledges LockBit Ransomware Data Breach 

• Evolve Bank disclosed the cyberattack that leaked data affecting Affirm cardholders and fintech firm Wise.
• The American bank’s investigation confirmed this was a LockBit ransomware attack.
• Preliminary information includes customer data leaks but no unauthorized access to bank accounts.

American Evolve Bank & Trust’s LockBit ransomware attack allegedly saw 33TB of data for sale on a hacker forum. The ongoing investigation shows that Evolve customer details and clients of their Open Banking partners’ client information, including names, contact information, and Social Security and bank account numbers, were exposed.

Employees’ personal data was also likely impacted, and the investigation is trying to asses whether information regarding Business, Trust, and Mortgage customers was leaked. Last week, the recently disrupted ransomware group LockBit claimed to sell the stolen Evolve Bank & Trust data, wrapping it as an alleged U.S. Federal Reserve breach.

Evolve discovered the LockBit security incident in late May 2024. During February and May, cyber-criminals exfiltrated customer information from the bank’s databases and a file share.

The financial organization “stopped the attack within days” after the threat actor possibly gained access to company systems after “an employee inadvertently clicked on a malicious internet link.” They engaged cybersecurity specialists and reported this incident to law enforcement.

The huge data breach affected third parties such as customer databases of fintech company Wise and Affirm Holdings card company. Both companies announced conducting individual inquiries to determine the extent of this security incident.

In early May, law enforcement froze the assets of the infamous LockBit ransomware group leader Dmitry Yuryevich Khoroshev, aka LockBitSupp. Authorities offer a reward of up to $10 million for information that would lead to the individual’s arrest.

Last month, a hacker from Kyiv connected to LockBit and Conti was arrested in Ukraine for cooperating with these Russian ransomware groups and helping the cybercriminal gangs evade detection.

In February 2024, law enforcement shut down the infrastructure of the LockBit Ransomware-as-a-Service (RaaS) affiliate-based variant through Operation Cronos. Authorities seized several servers that contained decryption keys and offered approximately 7,000 LockBit keys to U.S. and international victims.