Educational & easy-to consume visual guides to understanding attacks & enhancing resilience
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.
In mid-2024, Evolve Bank & Trust - a US financial services firm and banking-as-a-service provider to many fintechs - suffered a ransomware attack by the LockBit group. The attackers accessed and downloaded customer data from Evolve's databases and a file share, and encrypted some systems. Evolve refused to pay the ransom, so LockBit leaked the stolen data, initially and wrongly publishing it as a breach of the US Federal Reserve. The bank later confirmed that the personal information of more than 7.6 million people had been compromised, and the breach also affected customers of fintech partners including Wise, Affirm, Mercury and Bilt.
Evolve detected unusual system behaviour in late May 2024, which it first mistook for a hardware failure before identifying unauthorised activity; it saw no new unauthorised activity after 31 May 2024. Investigators found that data had been accessed during periods in February and May 2024. LockBit publicly leaked the stolen data around 23-25 June 2024, and on 8 July 2024 Evolve notified more than 7.6 million individuals and regulators that their data had been compromised.
The attack was carried out by LockBit, a prolific Russia-linked ransomware-as-a-service operation that also operates under the handle 'LockBitSupp'. The group had recently been disrupted by an international law enforcement operation, and its administrator has since been publicly identified and sanctioned by US and UK authorities. Many researchers viewed LockBit's surrounding claims - including that it had breached the Federal Reserve - as an attempt to stay relevant after that crackdown.
No. LockBit claimed to have stolen 33 terabytes of data from the US Federal Reserve and posted it under a 'federalreserve.gov' heading on its leak site, but analysis quickly showed the data actually came from Evolve Bank & Trust, a comparatively small financial services company. Security researchers were sceptical of the Federal Reserve claim from the outset, and Evolve confirmed that LockBit had 'mistakenly attributed the source of the data to the Federal Reserve Bank'. The central bank itself was not breached.
According to Evolve, the attackers gained access when an employee inadvertently clicked on a malicious internet link. From there, the LockBit actors were able to reach the bank's databases and a file share, download customer information, and encrypt some data within the environment. This made the breach another example of how a single phishing or social-engineering click can open the door to a major ransomware incident.
Evolve said the exposed information included names, Social Security numbers, Evolve account numbers, dates of birth and contact details for most of its personal, mortgage and small business banking customers, as well as customers of its Open Banking partners. A smaller number of people also had debit card numbers affected. The stolen files included ACH transaction records - financial account numbers, routing numbers and names for both payers and payees - and personal information relating to Evolve employees. The bank said there was no evidence that customer funds were accessed.
Evolve Bank & Trust notified more than 7.6 million individuals that their personal information had been compromised. In its filing to the Maine Attorney General's Office, the bank put the figure at 7,640,112 people. Evolve offered affected US residents two years of free credit monitoring and identity protection, and dark web monitoring for international residents where available.
Because Evolve provides banking-as-a-service to many fintechs, several partners reported that their customers were caught up in the breach. Wise said data it had shared to provide USD account details between 2020 and 2023 may have been exposed; Affirm disclosed in an SEC filing that Affirm Card user information was likely compromised; and Mercury said leaked records included some account numbers, deposit balances, business owner names and emails. Bilt notified users as a precaution while saying its own platform was not directly affected. In each case, the partners stressed that their own systems were not breached.
No. Evolve stated that it refused to pay the ransom demanded by the threat actor, and that LockBit responded by leaking the data it had downloaded. Because the bank had backups in place, it reported limited data loss and limited impact on its operations despite the file-encrypting element of the attack.
No - these were separate matters that happened to surface around the same time. In June 2024, the US Federal Reserve issued an enforcement action against Evolve over deficiencies in its risk management, anti-money laundering and compliance practices identified in 2023 examinations, requiring it to address those issues before expanding certain activities. That regulatory action was unrelated to the LockBit ransomware attack, although the coinciding timing drew added attention to the bank.
Evolve engaged external cybersecurity specialists, contained the attack and reported the incident to law enforcement. It reset passwords globally, rebuilt critical identity and access management components including Active Directory, further hardened its firewalls and security appliances, and deployed endpoint detection and response tools. It notified affected individuals and regulators - including the Maine Attorney General's Office - offered credit monitoring and identity protection, and issued new account numbers where warranted.
The Evolve incident shows how one employee clicking a malicious link can lead to a multi-million-record breach, and how banking-as-a-service relationships can spread the impact to many downstream fintechs and their customers. Key lessons include phishing-resistant authentication and user awareness training, strong segmentation and access controls around sensitive data, reliable and tested backups, robust third-party and supply-chain risk management, and a rehearsed incident response and breach-notification plan. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.
We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.
Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.
A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.
Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.