conorcrowe - stock.adobe.com

Suspected LockBit ransomware attack causes havoc in City of London

A suspected LockBit ransomware attack on trading software firm Ion has caused chaos for City of London traders

A ransomware attack on trading software supplier Ion Group – potentially the work of the infamous LockBit cartel – has caused chaos for City of London traders, leaving them unable to perform key duties.

Ion is a critical component of the UK’s financial system, with its software playing a vital role in the trading of debt, derivatives and shares around the world.

According to the Telegraph, the incident has affected more than 40 clients, with some forced to resort to pen and paper to process their trades.

The incident has caused additional stress coming at the end of the first calendar month of the year, when many traders would have been busy putting together end-of-month reports.

In a brief statement, Ion confirmed that a cyber attack had taken place, but offered no further details.

A spokesperson said: “Ion Cleared Derivatives, a division of Ion Markets, experienced a cyber security event commencing on 31 January 2023 that has affected some of its services.

“The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing. Further updates will be posted when available.”

At the time of writing, the involvement of LockBit has not been officially confirmed, merely alleged. There are also suggestions that the incident may have begun via the exploitation of vulnerabilities in VMware servers, again unconfirmed.

Rebecca Moody, head of data research at Comparitech, commented: “At the moment, there are two key concerns here. Firstly, is the impact the downtime will have across a multitude of organisations around the world. As we’ve seen with the recent Royal Mail attack, disruptions are still ongoing over two weeks later.

“Secondly, is the high risk of sensitive data being leaked by the hackers. While ransomware attacks used to focus on encryption tactics, the majority are now stealing data as well. Ion Group has said the attack is ‘contained to a specific environment’, so we will have to hope they are able to minimise the impact of the attack and that no key data has been stolen.”

According to analysis of incident data collated by the UK Information Commissioner’s Office (ICO) and analysed by CybSafe, the financial services and insurance sector accounted for 12% of total cyber attacks in the 2021-22 financial year.

“More notably,” said CybSafe founder and CEO Oz Alashe, “the number of ransomware attacks has increased by 12% to represent 35% of all cyber attacks within the sector. The frequency of these attacks is, unfortunately, a trend likely to continue in 2023.”

Ransomware resurgence

Indeed, after something of a slowdown towards the end of 2022, ransomware attacks now appear to be on the up again early in 2023, a trend that is not in and of itself out of the ordinary, as operators are well-known to take frequent breaks to regroup, retool, and even go on holiday.

LockBit itself has remained a highly prolific actor, accounting for a significant percentage of all disclosed ransomware incidents in supplier reporting metrics. It is currently suspected of being behind the January 2023 attack on Royal Mail, an incident that is still ongoing.

Read more about ransomware in 2023

  • Guardian Media Group bosses confirm the 20 December cyber attack that left staff locked out of its London office and disrupted several key systems was an untargeted ransomware attack.
  • The still-developing cyber incident at Royal Mail may be the work of the infamous LockBit ransomware operation.
  • A ransomware attack on Yum! Brands, the parent organisation of restaurants including KFC and Pizza Hut, was forced to shut approximately 300 outlets in the UK following a ransomware attack by an unspecified group.

Read more on Hackers and cybercrime prevention