peresanz - stock.adobe.com

LockBit gang confirms Ion cyber attack as disruption continues

The LockBit ransomware cartel has taken responsibility for this week’s attack on financial software firm Ion, and is threatening to leak stolen data on Saturday 4 February

The LockBit ransomware cartel has confirmed it is behind the cyber attack on financial software supplier Ion Group, which has caused chaos in the City of London and left multiple clients, including the likes of ABN Amro and Intesa Sanpaolo, locked out of critical applications.

In a note posted to LockBit’s dark web leak site, shared with Computer Weekly by sister title LeMagIT, the gang said it would publish all available data obtained from Ion on Saturday 4 February at 7:25am.

A screenshot from LockBit's dark web site, threatening to leak data stolen from Ion Group this week
The LockBit ransomware cartel threatens to leak Ion Group's data on Saturday 4 February unless paid.

Ion itself has made no further comment on the attack. In its initial statement the organisation said: “The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing. Further updates will be posted when available.”

However, according to Reuters, sources with knowledge of the situation said the issues affecting traders at Ion’s various clients could take up to five days to fix, with knock-on effects on financial markets likely.

One major immediate impact has been in the US, where regulator Commodity Futures Trading Commission (CFTC)  said that the disruption was affecting some of its members’ ability to provide it with timely and accurate data.

“As this incident unfolded, it became clear that the submission of data that is required by registrants will be delayed until the trading issues are resolved. As a result, the weekly Commitments of Traders report that is produced by CFTC staff will be delayed until all trades can be reported. A report will be published upon receipt and validation of data from those firms,” it said.

The CFTC added that many reporting firms affected by the ransomware attack do not have enough information to fully prepare daily trading reports required by law – they are therefore to use “best estimates” in preparing them, and to file revised reports once services resume.

Jonathan Knudsen, head of global research at the Synopsys Cybersecurity Research Centre, commented: “Software is the critical infrastructure for all other critical infrastructure. The attack on Ion illustrates not only the interconnected nature of the financial system, but also a crucial dependence on software. 

“Every piece of software is, in essence, an incredibly complicated machine. To secure such a machine against attack, builders and buyers alike must examine the entire supply chain of infrastructure, tools, open source components, source code and configurations in a ceaseless quest to locate and mitigate vulnerabilities. 

“When an incident occurs, such as the Ion attack, existing processes must be examined to understand what went wrong and how the processes can be improved to reduce risk in the future,” he added.

New options for LockBit affiliates

Meanwhile, earlier this week, the operators of the LockBit franchise expanded the range of ransomware available to their affiliates.

In a screenshot of the group’s affiliate interface, shared on Twitter by vx-underground, LockBit highlights one option for Linux/ESXI systems, and three for Windows systems, LockBit Red, also known as LockBit 2.0; LockBit Black, believed to be derived from BlackMatter code; and the new LockBit Green.

A LockBit operator told vx-underground that the source code for LockBit Green – samples of which have already been seen in the wild – was based on that of its antecedent Conti.

Conti notably ended its operations after initially declaring its support for the Russian government in its war on Ukraine, prompting a revolt among gang members, one of whom leaked Conti’s data, including its source code.

The operator claimed they wanted to become the “top gang in the world” and eliminate their competition. They hinted that they are working on other additions to LockBit’s ransomware locker line-up.

Read more about ransomware in 2023

  • Guardian Media Group bosses confirm the 20 December cyber attack that left staff locked out of its London office and disrupted several key systems was an untargeted ransomware attack.
  • The still-developing cyber incident at Royal Mail may be the work of the infamous LockBit ransomware operation.
  • A ransomware attack on Yum! Brands, the parent organisation of restaurants including KFC and Pizza Hut, was forced to shut approximately 300 outlets in the UK following a ransomware attack by an unspecified group.

Read more on Data breach incident management and recovery