Ion Markets, a financial data group crucial to the financial plumbing underlying the derivatives trading industry, has fallen prey to the cybercrime group Lockbit.
The company has revealed that 42 clients have been affected by the attack, which has caused major disruption in its cleared derivatives division.
Reports suggest that some clients have been unable to contact Ion by phone since Tuesday, with some travelling to the company’s office at St Pauls to seek more information.
“The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing,” according to a post on Ion’s website.
It’s understood that the incident has impacted other trade processing systems, even forcing some companies to process trades manually.
Lockbit has been especially active recently, claiming responsibility for the attack on Royal Mail last month, which forced the company to suspend international postal deliveries.
The cybercriminal group has reportedly used its’ signature ransomware, which encrypts files and issues a ransom note, typically demanding payment in cryptocurrency before the decryption key is provided.
Expert Insight:
Jonathan Knudsen, head of global research at the Synopsys Cybersecurity Research Centre:
“Software is the critical infrastructure for all other critical infrastructure. The attack on the Ion Markets illustrates not only the interconnected nature of the financial system, but also a crucial dependence on software.
Software is a powerful tool for productivity but must be managed properly. In particular, security must be a top priority in all phases of software, from its conception through to its deployment. This applies equally to builders and buyers. Builders must include security at every phase of their software development life cycle, using a combination of expert analysis and automated testing to flush out as many vulnerabilities as possible before software is put into production use. Buyers, similarly, should carefully evaluate the security practices of their vendors, then apply meticulous and repeatable processes for configuring, deploying, and operating the software they acquire.
Every piece of software is, in essence, an incredibly complicated machine. To secure such a machine against attack, builders and buyers alike must examine the entire supply chain of infrastructure, tools, open source components, source code, and configurations in a ceaseless quest to locate and mitigate vulnerabilities. When an incident occurs, such as the Ion Markets attack, existing processes must be examined to understand what went wrong and how the processes can be improved to reduce risk in the future.”
Sam Curry, chief security officer at Cybereason:
“While specific details are scant at this time, with dozens of Ion’s customers potentially impacted by this latest shameless ransomware attack, you can’t just snap your fingers and restore disrupted services. Let me be clear that LockBit is a criminal organisation and their brazen attack raises their profile and spreads more fear, uncertainty and doubt across many industries. In time, we will learn if a ransom demand was issued and paid, or whether Ion refused to negotiate with this criminal organisation.
Organisations can’t pay their way out of ransomware, and those that do only embolden the criminals to launch future attacks. For Ion and other organisations that improve their network resiliency, the cyber criminals will quickly move onto softer targets because they are looking for the path of least resistance. Most gangs want to maintain a low profile and avoid being caught in the cross hairs of law enforcement agencies. In general, companies should prepare for ransomware attacks in peacetime and ensure redundancy in network connectivity and have mitigation strategies ready. Practise good security hygiene and regularly update and patch operating systems and other software. Also, conduct periodic table-top exercises and drills including people beyond the security team and all the way to the Executive Suite.”
Jamie Cameron, security consultant at Adarma:
“Money is the biggest motivator for cyber threat groups like Lockbit, who are becoming ever more sophisticated in their attacks, which is why financial organisations need to be hyper focused on building their cyber resilience. It’s important they are aware that Lockbit is currently in a state of flux, and that previous defences against Lockbit’s signature ransomware is no longer applicable. Lockbit is evolving and it’s vital that businesses update their defences accordingly.
We’ve observed that Lockbit have been bringing in developers from the BlackMatter ransomware group to write a new version of their software (Lockbit Black), which is now free on the open market due to a leak from a disgruntled developer over a pay dispute. Most recently, Lockbit has had a developer, believed to be from the now defunct Conti group, write new malware, known as Lockbit Green or they’ve utilised the leaked toolset from the two prominent Conti leaks of last year to develop this new variant.
Lockbit have been launching attacks using both the original version of their ransomware and Lockbit Black and we see no reason why they wouldn’t throw Lockbit Green into the mix. Organisations should be aware of this due to how prolific the group are.”
Ziv Dines, CTO, Cyber at Armis:
“The majority of organisations see PII, critical infrastructure and operational downtime as the most at risk in the event of a cyberwarfare attack, and Lockbit’s recent activity encompasses all three. It’s clear from attacks on critical services such as the Royal Mail and ION Group, a major supplier of services to the financial system, that criminals are gathering pace.
The affected company confirmed the incident has been contained to a specific environment, but the operational inefficiencies caused by having to switch to manual processes introduce a significant amount of risk in both the short and long term. Organisations should be on high alert, making sure they have oversight of their internal systems and any assets that may be connected to them in order to spot and remediate anomalies quickly.”
Jamie Akhtar, CEO and co-founder of CyberSmart:
“This incident and its attribution demonstrate that we aren’t dealing with run-of-mill cybercriminals or threats. Instead, this looks like a calculated attack on the very infrastructure that supports the UK’s financial system. What’s more, it’s a signal that the ‘cyber cold war’ being conducted as part of the conflict in Ukraine has begun to heat up.
We’ve been seeing a pattern of escalation in these attacks over the past few months, so we urge all businesses, even SMEs, to be as vigilant as possible in updating and patching software, employing good cyber hygiene, and treating anything unusual with suspicion.”
Javvad Malik, lead security awareness advocate at KnowBe4:
“This is a reminder not only of 3rd party and supply chain risks, but also that many times large, well known organisations will invest heavily in cyber security. But there are many smaller organisations in the chain which are critical to day to day operations.
It’s why conducting thorough risk assessments is important – to identify what business processes are important so that the appropriate controls and resilience can be built into the system.”