LockBit ransomware gang, the hackers who carried out the breach at financial data firm ION Group, has claimed that a ransom has been paid, but declined to provide details about the amount or any proof of payment, reported Reuters.
ION Group declined to comment on the matter, the report said.
LockBit informed Reuters reporter Raphael Satter through its online chat about the payment status, but did not say who paid the ransom, only stating it was from a “very rich unknown philanthropist.”
The LockBit representative said no further details would be provided. The FBI did not respond to a request for comment, and the National Cyber Security Agency, part of Britain’s GCHQ, had no comment.
The ransomware attack on ION Group caused disruptions to trading and clearing of financial derivatives, affecting several brokers, according to sources. Affected clients included ABN Amro Clearing and Intesa Sanpaolo, said the report.
ABN informed clients of technical disruptions due to ION Group and that some applications would be unavailable for several days, said the report.
ION, LockBit, and ransom payment
ION Group was in the news recently when it acquired has agreed to sell Acuris, the owner of financial information service Mergermarket, for £1.35bn from private equity group BC Partners.
The purchase of Acuris expanded ION Group’s presence in the financial software and data business by adding trading and cash management tools, data, and analytics for capital markets.
ION Group’s name was removed from its extortion website on 3 February, which is a sign that a ransom may have been paid, according to experts.
“All stolen ION information removed and decryptors provides,” a LockBit ransomware gang member under the alias LockBitSupp told Reuters reporter Raphael Satter in a private chat. Satter shared the details on his website.
However, there is a chance that the ransomware gang changed their mind or did not proceed with the extortion for other reasons, said the report.
Security researchers have been advising against paying ransom, as it may not necessarily speed up the clean-up process.
“It is downright illegal in a lot of regions. You are essentially funding criminals when you pay ransom,” Andy Norton, European Cyber Risk Officer at Armis, told The Cyber Express earlier.
“Trusting the criminal for not making that public is a bit naive. But I have seen people justify making ransom payments, because it’s the quickest way to restore life-saving or critical services.”
Ransomware encrypts company data and demands payoffs for decryption keys. Even if the keys are handed over, it may still take time to undo the damage to the digital infrastructure.
LockBit ransomware gang: mode of operation
LockBit 3.0, also known as LockBit Black, is the latest strain of ransomware from the LockBit family, first discovered in September 2019. It targets organizations that can afford large ransom payments and has the ability to self-spread.
This new version, discovered in late 2022, uses encryption to exfiltrate files on infected devices and demands a ransom for their return. A report by Sophos shows that this version has retained most of its functionality from LockBit 2.0, but has added new behaviors that make it harder to analyze.
In some cases, LockBit 3.0 requires the affiliate to use a 32-character password when launching the ransomware binary. The typical attack process involves infecting the device, encrypting files, deleting certain services, and changing the wallpaper.
If the ransom is not paid, the data may be sold on the dark web. LockBit 3.0 is known for exploiting Windows Defender to deploy Cobalt Strike, a penetration testing tool, and causing a chain of malware infections.
LockBit operates as a Ransomware-as-a-Service (RaaS) model, working with affiliates who may not have the resources to create and deploy attacks. In this case, a portion of the ransom goes back to the affiliated hacker, according to a December 2022 alert by the U.S. Department of Health & Human Services.