This article is more than 1 year old
LockBit brags it pumped ION full of ransomware
Crims put a February 4 deadline for software slinger to pay up
UK regulators are investigating a cyberattack against financial technology firm ION, while the LockBit ransomware gang has threatened to publish the stolen data on February 4 if the software provider doesn't pay up.
According to a statement posted on ION Market's website, its ION Cleared Derivatives division "experienced a cybersecurity event" on January 31.
"The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing," the notice said. "Further updates will be posted when available."
LockBit, a ransomware group with ties to Russia, has since said it pulled off the data heist, and promised to publish "all available data," according to a screenshot posted by Emsisoft threat analyst Brett Callow.
#LockBit has listed #ION. The #RoyalMail has not been listed. The reason for that is not known. pic.twitter.com/7p5nZNttjm
— Brett Callow (@BrettCallow) February 2, 2023
This is the crime gang that may or may not have also attacked Royal Mail last month. Despite claiming one of its affiliates compromised the postal service, Royal Mail hasn't been listed on LockBit's leak site, as Callow noted.
While the ION security alert didn't provide any additional details, but according to media reports the attack affected 42 of ION's customers, which likely included ABN Amro Clearing and Intesa Sanpaolo, Italy's biggest bank, Reuters reported.
Meanwhile, some European and US banks and brokers had to pull the pens and paper out of storage. ION's software automates trading processes, and Bloomberg reported the outage forced these banks and brokers to manually process derivative trades.
The attack prompted the Futures Industry Association (FIA) to weigh in on the security snafu, which it said has affected ION clients "across global markets."
The industry association, which represents futures dealers, investors and exchanges, said it was working with its member organizations, "including clearing firms and exchanges, as well as market regulators and others, to assess the extent of the impact on trading, processing, and clearing."
- Royal Mail, cops probe 'cyber incident' that's knackered international mail
- LockBit: Sorry about the SickKids ransomware, not sorry about the rest
- LockBit 3.0 malware forced NHS tech supplier to shut down hosted sites
- LockBit threatens to leak confidential info stolen from California's beancounters
Additionally, a spokesperson for the UK's Financial Conduct Authority told The Register that the FCA is "aware of this incident and we will continue to work with our counterparts and the firms affected."
The FCA regulates British banks and financial services companies. While ION, as a third-party software provider, isn't an FCA-regulated business, it does provide services to several firms that do fall under the agency's purview.
As such, the FCA is working with its counterparts to help affected financial services firms.
US downplays risk
The US Treasury Department also confirmed the ransomware attack against ION, but said it didn't post a "systematic risk" to industry.
"The issue is currently isolated to a small number of smaller and mid-size firms and does not pose a systemic risk to the financial sector," Deputy Assistant Secretary of the Treasury for Office of Cybersecurity and Critical Infrastructure Protection Todd Conklin told The Register.
"We remain connected with key financial sector partners, and will advise of any changes to this assessment," Conklin added.
However, these types of supply-chain, or "island-hopping" attacks, are becoming more prevalent in the financial sector, Tom Kellermann, senior VP of cyber strategy at Contrast Security, told The Register.
"Shared service providers are being increasingly targeted by cybercrime cartels to manifest island hopping," he said. "Cyberattacks in the financial sector are no longer merely about conducting a heist but rather to hijack the digital transformation of the victim so as to launch attacks against their customer base." ®