ICBC Financial Services LockBit ransomware (2023)

LockBit ransomware disrupted the U.S. broker-dealer arm of the world's largest bank, ICBC, jamming settlement of over $9 billion in U.S. Treasury trades. Bank staff sent critical settlement details by USB stick via a messenger across Manhattan. $62 billion of Treasuries failed to deliver in one day.

On 9 November 2023, LockBit ransomware disrupted the U.S. broker-dealer arm of Industrial and Commercial Bank of China (ICBC) — the world's largest bank by total assets. The disruption was severe enough that over $9 billion of trades backed by U.S. Treasury securities failed to settle on time, and ICBC staff resorted to sending settlement details by USB stick carried by a messenger physically across Manhattan.

What happened

ICBC Financial Services is the U.S.-based broker-dealer subsidiary of Industrial and Commercial Bank of China. On 9 November 2023 its systems were encrypted by LockBit ransomware. The unit was temporarily unable to access its corporate email — let alone its settlement infrastructure. Bank staff, facing imminent failed deliveries, wrote settlement instructions to USB drives and hand-delivered them to counterparties via a messenger.

The Treasury-market impact was unusually visible: more than $62 billion of U.S. Treasury trades failed to deliver in a single day. Bank-of-China-parent capital injections covered the unsettled exposure, and the market normalised after roughly four trading days.

Researchers analysing artefacts from the intrusion concluded that LockBit had likely exploited the Citrix Bleed vulnerability (CVE-2023-4966) — the same flaw exploited in the contemporaneous Boeing attack — to gain initial access.

In February 2024, the U.S. Treasury sanctioned Ivan Gennadievich Kondratiev ("Bassterlord", "Fisheye"), a Russian national identified as a LockBit affiliate and leader of the National Hazard Society affiliate sub-group — part of a coordinated U.S./UK takedown effort against LockBit's infrastructure.

Impact

More than $9 billion of trades backed by U.S. Treasuries failed to settle on time.
$62 billion of Treasury trades failed to deliver in one day.
Settlement instructions hand-delivered by USB stick across Manhattan.
ICBC parent capital injections covered unsettled trades.
U.S. Treasury sanctions on a named LockBit affiliate; precursor to the international LockBit takedown in 2024.

Why it matters

ICBC is the case where ransomware moved markets: a single criminal-encryption event at the U.S. broker-dealer of a Chinese state bank rippled into a measurable disruption of U.S. Treasury settlement. The contrast between the high-frequency electronic infrastructure of modern finance and the physical USB-stick contingency that kept trades flowing has been studied by every G7 financial regulator since.

Timeline

November 9, 2023

LockBit ransomware detonates against ICBC Financial Services, the U.S. broker-dealer arm of Industrial and Commercial Bank of China. The unit's corporate email and key settlement systems go offline.

November 10, 2023

More than $62 billion of U.S. Treasury trades fail to deliver in a single day. ICBC FS staff resort to sending settlement details by USB stick, carried by a messenger physically through Manhattan to counterparties.

November 13, 2023

Settlement systems are restored; ICBC parent capital injections cover unsettled trades. The U.S. Treasury market normalises after roughly four trading days of disruption.

November 1, 2023

Researchers attribute the intrusion to LockBit and assess the initial-access vector as exploitation of Citrix Bleed (CVE-2023-4966).

February 20, 2024

The U.S. Department of the Treasury sanctions Ivan Gennadievich Kondratiev — alleged LockBit affiliate and leader of the National Hazard Society sub-group ('Bassterlord', 'Fisheye').

Sources

cnbc.comhttps://www.cnbc.com/2023/11/10/icbc-the-worlds-biggest-bank-hit-by-ransomware-cyberattack.html

bitdefender.comhttps://www.bitdefender.com/en-us/blog/hotforsecurity/worlds-biggest-bank-hit-by-ransomware-forced-to-trade-via-usb-stick

therecord.mediahttps://therecord.media/icbc-dealing-with-ransomware-attack

home.treasury.govhttps://home.treasury.gov/news/press-releases/jy2114

bankinfosecurity.comhttps://www.bankinfosecurity.com/report-details-aftermath-icbc-lockbit-ransomware-attack-a-23655

Related incidents

RansomwareContainedOctober 27, 2023

Boeing LockBit ransomware via Citrix Bleed (2023)

LockBit operators exploited the Citrix Bleed vulnerability (CVE-2023-4966) to enter Boeing's parts and distribution business. Boeing did not pay; LockBit leaked roughly 45 GB of data, including Citrix logs, email backups, supplier lists, and 2020 pricing data.

Victim: Boeing — Parts and Distribution business

RansomwareContainedDecember 8, 2023

Westpole LockBit ransomware — Italian PA outage (2023)

LockBit 3.0 encrypted the data centres of Italian cloud provider Westpole, taking down PA Digitale's Urbi platform — which serves 1,300 Italian public administrations including 540 municipalities, the Quirinale presidency, ISTAT, the Bank of Italy, and the Ministry of Environment. Payroll, citizen services, and local-government workflows were degraded for weeks.

Victim: Westpole / PA Digitale (Urbi platform)

RansomwareContainedFebruary 8, 2023

Indigo Books LockBit ransomware

LockBit affiliates encrypted Canada's largest bookseller, taking the website and in-store payment systems offline for weeks. Indigo publicly refused the ransom; LockBit published employee personal data.

Victim: Indigo Books & Music Inc.
Loss: $40.0M
Records: 5.0K

RansomwareContainedJanuary 10, 2023

Royal Mail LockBit ransomware

LockBit affiliates encrypted Royal Mail's international export systems, halting all overseas postal services from the U.K. for six weeks. Royal Mail publicly refused the £65.7M ransom demand; LockBit progressively leaked exfiltrated data.

Victim: Royal Mail International
Loss: $60.0M