The Industrial and Commercial Bank of China (ICBC) [3] [4], China’s largest bank [2], recently experienced a ransomware attack on its US unit. This attack, believed to be orchestrated by the Lockbit group [1], disrupted the US Treasury market and hindered ICBC’s ability to settle trades for other market participants. However, the overall market liquidity remained largely unaffected.


ICBC Financial Services has confirmed the attack and is currently conducting an investigation while working on recovery efforts [4]. The specific form of ransomware used in the attack has not been disclosed [2]. As a precautionary measure, ICBC temporarily suspended all inbound FIX connections and is now in the process of restoring services [2].

Security researcher Kevin Beaumont suggests that the attack may have exploited an unpatched vulnerability in a Citrix Netscaler box operated by ICBC [2]. However, other experts caution against drawing conclusions without further details [2]. Market sources report that the impact on the market was limited. It remains unclear if any data has been leaked or if a ransom has been demanded or paid [3].

This incident raises concerns about cyber security controls in the financial market and may attract regulatory scrutiny [4]. The US Securities Industry and Financial Markets Association (SIFMA) has reported the attack [3] [4], but the Treasury market appears to be functioning normally [4]. The US Treasury is aware of the cybersecurity issue and is in contact with key financial sector participants and federal regulators [3].

Globally [4], there were 493.33 million ransomware attack attempts detected last year [4], with Lockbit being the most prolific operator [4]. ICBC is currently in the process of restoring services [5]. It is crucial for organizations to regularly review their business risk, including the potential impact of ransomware attacks [2].


While the ransomware attack on ICBC’s US unit had a limited impact on overall market liquidity, it highlights the need for robust cyber security controls in the financial market. The incident may attract regulatory scrutiny and raises concerns about data leakage and ransom demands. Organizations should prioritize regular risk assessments to mitigate the potential impact of ransomware attacks.