General Questions
1. What Happened?
In late May 2024, Evolve Bank & Trust identified that some of its systems were not working properly. While it initially appeared to be a hardware failure, we subsequently learned it was unauthorized activity. We engaged cybersecurity specialists to investigate and determined that unauthorized activity may have been the cause. We promptly initiated our incident response processes and stopped the attack. The Bank has seen no new unauthorized activity since May 31, 2024. We engaged outside specialists to investigate what happened and what data was affected, as well as a firm to help us restore our services. We reported this incident to law enforcement.
While the investigation is ongoing, we want to share some important information about what we know so far. At this time, current evidence shows the following:
- This was a ransomware attack by the criminal organization, LockBit.
- They appear to have gained access to our systems when an employee inadvertently clicked on a malicious internet link.
- There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information from our databases and a file share during periods in February and May.
- The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations.
- We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank.
2. What actions are you taking to better secure Evolve Bank & Trust’s networks in response to this event?
Since we became aware of the incident, we have taken steps to enhance the existing controls and further secure our environment, including:
- Resetting passwords globally.
- Rebuilding our active directory.
- Updating the rules of our firewall and security monitoring applications.
- Deploying endpoint detection and response and other security tools to harden the network.
We are in the process of further strengthening our security response protocols, our policies and procedures, and our ability to detect and respond to suspected incidents.
3. Has the event been resolved/contained?
The Bank promptly initiated its incident response process and stopped the attack. The Bank has seen no new unauthorized activity since May 31, 2024. We engaged outside specialists to investigate what happened and what data was affected, as well as a firm to help us restore our services. We reported this incident to law enforcement.
4. Was this a ransomware attack?
This was a ransomware attack by the criminal organization, LockBit.
5. Did you pay the ransom?
We refused to pay the ransom demanded by the threat actor.
6. Did you notify the appropriate authorities?
Yes, we have notified law enforcement.
7. Don’t you have security and other systems in place to prevent this?
Yes, we have a variety of measures and technologies to prevent these attackers, but unfortunately, threat actors are becoming increasingly sophisticated, and these attacks are becoming more common.
Since we became aware of the incident, we have taken steps to enhance the existing controls and further secure our environment, including:
- Resetting passwords globally.
- Rebuilding our active directory.
- Updating the rules of our firewall and security monitoring applications.
- Deploying endpoint detection and response and other security tools to harden the network.
We are in the process of further strengthening our security response protocols, our policies and procedures, and our ability to detect and respond to suspected incidents.
Evolve Bank (Personal) Customers, Mortgage Customers, Customers’ End Users
8. Has this impacted your ability to operate and serve customers?
No. We have worked diligently to restore systems safely and quickly. We activated our business continuity processes and re-routed operations where possible to continue to support our customers.
9. Were my funds impacted?
No. There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information.
10. Was customer data accessed or exfiltrated from Evolve Bank & Trust?
At this time, we have evidence that files were downloaded from our systems. The investigation is in its early stages, but it appears that names, Social Security numbers, Evolve account numbers, date of birth, and contact information were affected for most of our personal, mortgage, trust and small business banking customers, as well as customers of our Open Banking partners. A small portion of these individuals also had their debit card number affected. The affected files also included ACH transaction records, which include financial account number, routing number, and name for both payors and payees.
11. When will I receive additional information from Evolve Bank & Trust?
Our team is continuing to work around the clock to respond to our recent security incident. We are committed to transparency about this event and have provided a detailed update below about what happened, how we are responding, and actions customers and clients can take. We will continue to provide regular updates here.