LockBit Ransomware Attack on a Bank: Tactics, Impact, and Huawei Cloud Defense

Recent Ransomware Incident

On November 10, 2023, a U.S. subsidiary of a bank announced that on November 8 it had suffered a ransomware attack that disrupted part of its systems. On November 9, the LockBit ransomware group publicly claimed responsibility. LockBit, first observed in 2019 and now upgraded to LockBit 3.0, operates as ransomware‑as‑a‑service (RaaS), targets many sectors, and can cause permanent data loss or public leakage if the ransom is not paid.

Security expert Kevin Beaumont indicated that the attackers likely exploited the Citrix Netscaler Gateway/ADC vulnerability CVE‑2023‑4966. This flaw allows unauthenticated remote attackers to steal cookies and bypass authentication.

Initial Intrusion Phase

Typical attack techniques include RDP exploitation, phishing campaigns, abuse of valid accounts, and exploitation of public‑facing applications. Historical vulnerabilities used by this ransomware family are illustrated below.

Infection and Execution Phase

LockBit, like many ransomware families, performs persistence, privilege escalation, lateral movement, internal data discovery, and disables security software during infection. LockBit 3.0 can accept parameters to control its behavior, enabling lateral movement and targeted directory encryption, and uses encrypted executables to evade detection.

LockBit employs a double‑extortion strategy: it first steals files and then encrypts them using AES + RSA (no public decryption tool exists), changes the desktop wallpaper to signal the ransom, and drops a README.txt ransom note.

Data Exfiltration Phase

LockBit uses its proprietary data‑exfiltration tool StealBit or legitimate cloud‑sync utilities such as RClone or Mega to upload stolen data.

Ransomware Protection Strategies

Defend against the three ransomware stages: intrusion, lateral movement, and encryption.

Risk Prevention

Huawei Cloud Host Security (HSS) offers pre‑attack risk prevention, including baseline checks, vulnerability management, and container image security scanning to reduce the attack surface.

Step 1: Open the “Baseline Check” page to remediate configuration and weak‑password risks.

Step 2: Open the “Vulnerability Management” page to scan and fix vulnerabilities.

Intrusion Detection and Blocking

During an intrusion, attackers use various techniques; HSS provides timely alerts and blocks for brute‑force attacks, vulnerability exploits, webshells, reverse shells, viruses, trojans, rootkits, etc., offering full‑path detection of LockBit tactics.

HSS employs multiple detection capabilities, including an AV engine, decoy files, and HIPS host intrusion rules. It detects ransomware behavior, terminates malicious processes, and prevents further spread.

Data Recovery

If servers are encrypted, timely backup restoration and forensic analysis are required. HSS supports one‑click data recovery; after enabling ransomware protection, business data can be conveniently backed up and restored, reducing loss.