ZB Financial Holdings Hacked For Ransom. Customer & Operations Data Leaked To The Internet

L.S.M Kabweza

ZB Financial Holdings

ZB Financial Holdings, one of the largest financial institutions in Zimbabwe, was attacked by a ransomware gang in July, and had its data leaked to the internet.

From what we understand, the attackers stole files, demanded a ransom to not release them, and when ZB refused, leaked the data on the dark web. It is also possible that the hackers encrypted the ZB’s files to prevent them from accessing the files as part of the attack.

The attack was picked up by cyber security monitoring firms and published on their social media handles. One of these firms said in a post on X that ZB was part of 6 companies hacked for ransomware by the attackers, include a company in South Africa and others in Europe:

We have identified and begun monitoring a new ransomware group named “Mad Liberator”. They have listed 6 victims to their darkweb portal

– ZB Financial Holdings 🇿🇼
– South African Cities Network 🇿🇦
– Crosswear Trading 🇬🇧
– Montero & Segura Procuradores Asociados 🇪🇸
– Ministero della cultura 🇮🇹
– Vitaldent 🇪🇸

The attackers apparently demanded ransom from ZB and when the organisation refused to pay, they released the data they had to the internet.

Techzim was able to view signs that lots of ZB customer and operations data going into Gigabytes had indeed been leaked. The data includes excel files with consumer customer data, business customer data, employee data, account applications and several other data. The file dates look as current as July 2024 but go as far back as 2017 and probably earlier.

Techzim was alerted to the attack a little over a week ago and we wrote to ZB to understand what had happened exactly and for comment, but we didn’t received any official response. Representatives of the company told us several times for more than a week, that they’d respond but did not.

We are however reliably informed that ZB was aware of the attack prior to our enquiry.

It is possible that the attack is linked to a notice to customers that ZB sent out on 16 July. The financial services firm notified customers that its systems were experiencing instability and that technical teams were working flat out.

A week later on the 23rd, the company said everything was normal again.

It’s not clear if the data leak situation is now under control. It is possible that the ransomware gang released some files but are still holding on to more. It is also possible that even though the bank has recovered its systems, it may still not be clear how the attackers got in and may therefore still be vulnerable.

One local cyber security expert we spoke to suspected that the situation was caused by poor patch management:

Ransomware attacks are a direct indicator of lack of a patch management program + weak endpoint security + weak web and email channel security…

Ransomware Gangs

Ransomware gangs attack victims by exploiting vulnerabilities in their computer or just a person’s actions. The ransomware itself encrypts the victim’s files and the attacker then demands a ransom from the victim to restore access to the data upon payment. The ransom can range from a few hundred US dollars to thousands, which the gangs want as cryptocurrency.

A crypto-tracing firm revealed that ransomware payments globally exceeded US $1.1 billion in 2023.

ZB is hardly the only company to be attacked by ransomware gangs in recent history. ZESA, about a year ago was reported to have been hacked by one such group. There have also been murmurs about such attacks on banks that are never disclosed. Ofcourse the problem is that the customers whose data would have been stolen and leaked have no idea about the breaches and the extent of them.

Beyond Zimbabwe, last year, a ransomware attack breached the world’s biggest bank hit China’s ICBC. In the UK the gangs were responsible for stealing NHS health data just last month. Other attacks have been responsible for shutting down casinos in Vegas, ad even attacks on government systems against governments.

32 comments

What’s your take?

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. S. Soldier

    Hindava kuposta nyaya dzinenge dzashisha kudai.

    Reply
    1. The Last Don

      Kwatiri atori mafresh. One man’s junk is another man’s antique.
      🙈 🙈 🙈 🙈

      Reply
    2. Anonymous

      awareness

      Reply
    3. Smokie

      The article clearly points out that @techzim reached out to ZB, inorder to get clarification on the matter but to no avail, this means they wanted give us a detailed story not a half baked one……normalize reading through articles before airing out your negative thoughts @S.Soilder

      Reply
      1. ngoni mugandani

        Zb has an obligation to inform us it’s stakeholders as soon as possible when something of that nature happens

        Reply
    4. Anonymous

      In order to protect and safeguard the persons and organizations whose sensitive privacy data has been leaked, ZB has a duty of care to make the cyber attack public. The person whose data has been leaked need to be on the lookout for such vulnerabilities as identity theft, phishing etc. There is also an element of liability on the part of ZB if there refuse to disclose the cyber attack and their clients become victims of crime due to the leaked data. There is no upside to hiding a leak of private information when thieves are going to use the private data to commit crimes.

      Reply
  2. Redfleva

    Great article sir, in-depth and insightful. I think organizations in Zimbabwe are yet to wake up to the fact that they not immune to cybersecurity threats. They should invest in appropriate threat mitigation and protection.

    Reply
  3. Marvellous

    How does customer leaked data going to affect customers?

    Reply
    1. Ashiefx

      They might log into your account and loot or get your into and pretend like they are you and use it somewhere else

      Reply
    2. RGC

      Leaked data is dangerous even discreet transactions to ‘unwanted’ recipients can be seen on the dark web. For example guys sending money to his small house can be detected through that data dump. Ashley Madison hack is a classic example

      Reply
    3. Chiskop

      Impersonation purposes to say the least

      Reply
  4. Kevin

    TechZim please give us Free accessible websites.

    Reply
    1. Kudhara

      The Http Injector gang hahaha

      Reply
      1. Jack Brown

        It’s high time our local firms invest heavily on cyber security. Our IT infrastructure is weak.

        Reply
    2. Horus

      Techzim.co.zw

      Reply
  5. Kevin

    Takuvara neBoredom

    Reply
    1. Econet User

      Tenga Data

      Reply
  6. D.K.

    Is the bank government owned or has some government shares for them to behave like a government arm when it comes to responding to requests to clarify an issue? Private companies usually grab such an opportunity to give some response, no matter how the situation would be. They know that what a single journalist knows is as good as what the world knows. Private companies “use” such requests by journalists to their advantage as they know they cannot hide issues forever.

    Reply
    1. ZB Bank

      We’ve responded

      Reply
      1. D.K.

        You were not asked for a QR code.

        Reply
      2. Anonymous

        Why suggest a microfinance give loans not the bank don’t you see that it’s broad day robbery cz hw can one get 465 and return 756 it’s not fair. Ko mari yenyika yacho hamusikutoda kupa maloans hanzi batches ndokudii ikoko. Tichapera kutiza cz rimwe bank ropa 3500 imi moti 500 musiyano ndeweyi

        Reply
    2. HM

      Haa iwe you are generalizing all over. Govt, private sector this and that. Every individual company has a right to respond to queries in there best assessed interest and at there appropriate time. See, techzim is not a solution to their problem. At the least they want to make money out of it by attracting attention to there website and selling their services.
      This is a ZB tragedy. Let them sort it out the way they deem fit.

      Reply
  7. Anonymous

    Where I am in the world, nearly every month some major organization is a victim of major cyber attack. The laws require the victims to inform stack holders as son as possible.

    Reply
  8. Sabhuku bandera

    Pamwe zb yakatoramba the ransom payment because vakatoona kuti info yacho yaka torwa its not that important coz panogona kuita ma “terrorbytes” ezvinhu zvisina basa.
    I think If the hack could lead to emptying of bank accounts they wouldn’t ask for a ransom they would just taketh thou money

    Reply
    1. Anonymous

      Yeah I second you

      Reply
    2. Anonymous

      That’s not true,any customer data has to remain private as it can endanger customers and

      Reply
      1. Sabhuku Bandera

        Yes data was leaked but how important is it to the average account holder. What are the chances that i will lose ma ZIG ari mu account yangu? Probably Veryvery low.
        Yes it can endanger users but to what extent? Ok so they found out i was sending money to my 3 small houses.and then what? You need to be targeting a certain individual then sift through all that data connect the dots to make a damaging impact. This is why they go the ransom way.
        Data has to remain private but in the event that it has leaked the next step it to find out how important the leaked data is to the organisation and what kind of financial damange it can do.
        Unlike other countries where social media and news about hacks can really do damange to organisations, in Zimbabwean we are not quite there yet, hackers thrive on this news and social posts about their hacks to force organisations to pay. Manje muno how many people closed their zb accounts because of the hack. While ZB can be sued, can you prove that your name was leaked? Probably not, do you know where to even find the leaked data? Probably not. Its not ok but all the average user knows is “system iri down tozo trya tym kana mangwana”

        Reply
  9. OM.M

    Hello @Techzim, I’m a seasoned Cybersecurity Expert based locally. With my experience with Freelance penetration testing over the last 4 years, I’ve noticed that too many companies are reluctant to invest in Cybersecurity, financial companies to be precise. The most common attack vector of ransomware attack is by exploiting employee’s lack of awareness (phishing) thus giving threat actors a foothold/initial access to the network, from there they can escalate privileges and do internal recon to know exactly where to hit. This could have been worse. We have to invest in Cybersecurity, do awareness programs, continuously test employee’s awareness through phishing campaigns. They should release a public statement to assure customers of their data safety, if not they recommend security measures! If the data is surely public and ZB hasn’t clarified to valued customers, they risk being sued.

    Reply
    1. HM

      100 percent

      Reply
    2. Anonymous

      Yes they CAN be sued but, you have to prove that your info was leaked. Otherwise they will simply say only stuff leaked was our performance data and worker logs.
      If you find out your name was leaked, do you have the financial muscle to battle with them ku court? Or you can be ease silenced by a generous donation of 100usd into your ZB account and have a cool story to tell your friends

      Reply
  10. 🧐

    Paka introducewa ZiG it was said to have a backing of the country’s precious minerals and some 300m mari ino onekera neimwe iri off shore was never said from which bank off shore, I think here, the President was aware of such mischief pending had they disclosed the amount and offshore bank, remember kuti he is under a special sanctions upgraded by Biden so this is an eye opener that the sanctions are real despite being said to have been removed, and such attacks are self explanatory as to why the President concealed the offshore band as foolproof

    Reply
  11. Anonymous

    Ma zanu atanga kuba!

    Reply
Share
Home
Exit mobile version