River Holdings, the parent company of River Bank, disclosed a ransomware attack in a filing with the US Securities and Exchange Commission. The company confirmed it was forced to disconnect multiple systems from its network and disable admin accounts that appeared to have been used or compromised by the attackers.
The SEC disclosure makes this a public incident — under current US regulations, publicly traded companies are required to report material cybersecurity incidents within four business days of determining the incident is material.
The move to disable admin accounts is a telling detail. In most ransomware incidents, attackers spend days or weeks moving laterally through the environment before triggering the ransomware payload. Compromised admin credentials are typically how they escalate privileges and gain broad access to systems. Disabling those accounts mid-incident suggests the company identified active attacker presence, not just encrypted files.
For financial institutions — and for any organization running privileged access — this incident reinforces why monitoring admin account activity is not optional. Unusual logins, new admin accounts, changes to group memberships, and off-hours access are the signals that precede ransomware deployment. Catching them requires visibility into identity and authentication logs, not just endpoint alerts.