A ransomware attack on a unit of ION Group, a data firm and major provider of trading and automation software to the financial industry, has had an impact on derivative trading that is still being evaluated.
The Cleared Derivatives division was reportedly hit on January 31. ION Group said that impacted servers were pulled offline in the wake of the incident. The Futures Industry Association continues to investigate the full impact of the ransomware attack on derivative trading, and the notorious Lockbit gang has claimed credit and says that the firm paid the ransom demand on February 3.
The main impact to derivative trading thus far has been long delays in processing for financial firms in Europe and the United States, but operations for other ION clients have also been strongly impacted. Italy’s biggest bank, Intesa Sanpaolo, is one of these clients. Some brokers were told that it might take five days to resolve the problem, pushing a return to normal operations back to the business week beginning on February 6.
LockBit had threatened to leak the stolen data if not paid by February 4, but the group followed up with a claim that it was paid on February 3. While the damage may have been contained at this point if a payment was made, the full cleanup of the issue could extend for some time beyond restoration of regular derivative trading. For example, the U.S. Commodity Futures Trading Commission said that its weekly Commitments of Traders report is on hold until all trades can be accounted for. However, the U.S. Treasury was also quick to assure the public that the ransomware attack did not pose a “systemic risk” to the financial sector.
In total derivative trading accounts for tens of trillions of dollars per quarter in value in North America alone. It is still not known how Lockbit gained a foothold by which to deliver their ransomware attack.
Oz Alashe MBE, CEO of CybSafe, notes that financial sector cyber attacks (and particularly ransomware) are up substantially in recent years: “According to CybSafe’s analysis of ICO cyber incident data, in the 2021-2022 financial year, the financial services and insurance sector accounted for 12% of total cyber attacks. More notably, the number of ransomware attacks has increased by 12% to represent 35% of all cyber attacks within the sector. Financial services are fundamental to the economy. While cyber security is a top priority for many organisations within the sector, more can and must be done. The days of viewing cyber security as an annual tick-box exercise must end. To adequately address the threat level, cyber security must become an active, ongoing process within financial services. Employees want to be part of the solution. Therefore, the onus is on businesses to equip their employees with the right tools and education to display positive security behaviours and protect data.”
LockBit remains in the spotlight with major disruption of derivative trading
ION Group has yet to comment on the development, but Lockbit communicated to media sources that a “very rich unknown philanthropist” had paid its ransom demand and that the group would offer no further details about the ransomware attack. It also removed ION’s name from its extortion website, a seeming signal that at least that much of the issue has been settled at this point.
However, the firm (and portions of the derivative trading world) are still far from the goal line in terms of total incident cleanup. Everyone involved will have to hope that LockBit actually turns over the decryption keys to ION, for a start. Under ideal circumstances, it then takes weeks to restore all involved systems to normal operating status; under less ideal circumstances it could take months. There is also the matter of scouring systems to ensure that LockBit does not maintain some sort of presence or backdoors to initiate a future ransomware attack, and improving defenses to fend off the inevitable wave of copycats that follow along when a big-name company gets hit.
The incident also highlights the continuing threat of ransomware attacks, and that even as big players are taken out new ones step up to fill the vacuum. LockBit debuted in 2019 and has been one of the biggest names in the space since 2021. It had lasted longer than many of its contemporaries due to balancing a high volume of attacks with a polished operation and avoiding some of the public pitfalls that other groups (such as Conti) stepped in.
Daniel Mayer, threat researcher at Stairwell, observes that as long as the customer base (affiliates) exists and there are jurisdictions for them to hide in, ransomware-as-a-service organizations will continue to emerge: “Most financially-motivated actors are indiscriminate in targeting and are merely looking for lucrative targets. Key logistics and financial organizations like Ion and Royal Mail make great targets for LockBit because the cost imposed by a mere hour of downtime is significant, so the pressure to pay is high. But LockBit’s tactics are bread-and-butter for ransomware actors – they are not distinct. LockBit doesn’t even write their own Ransomware; they did originally, but then shifted to using Lockbit Black, which researchers identified as utilizing code reuse from BlackMatter’s ransomware, and VX-Underground just reported yesterday that Lockbit is now using a new version, LockBit Green, based off of the leaked Conti source code. Lockbit also doesn’t have full authority over where their ransomware gets deployed. They utilize an affiliate model. Affiliates of LockBit perform the network intrusions, usually opportunistically, and only get paid if they successfully deploy ransomware at an organization that then pays up. The Ion and Royal mail attacks may have been performed by different affiliates– this means security teams must stay vigilant for actors who may be working on behalf of these groups.”
The group may nevertheless be approaching the end of its useful life as a brand, however, if only because it managed to outlast other major names that have either fallen to law enforcement operations or disbanded in the face of sanctions and threats of serious investigations. The group has already experienced a setback similar to rival Conti, in that an apparent internal schism led to a member leaking the code for its then-new LockBit 3.0 ransomware in September 2022. It also drew an unusual amount of media attention (and international government scrutiny) when it participated in an attack on the UK’s Royal Mail service in January that disrupted international deliveries for about a week. The group’s current extortion list has about 50 entries, and several are in the United States where the Department of Justice has revealed that it has been under investigation for over two years and that an alleged affiliate was captured in Canada in November.