ION Trading reportedly pays LockBit ransom demands following worldwide disruption

Ransomware mockup with dark red colour scheme, a lock denoting encryption, and binary code set in the backdrop
(Image credit: Getty Images)

UK software firm ION Trading has been removed from LockBit’s leak site after it reportedly paid a ransom to recover its files and systems from a ransomware attack.

The public-facing spokesperson for the LockBit ransomware as a service (RaaS) operation told various reporters that the ransom was paid a day before its data was due to be leaked publicly.

Details surrounding the negotiation and the ransom’s sum remain unknown.

The spokesperson reportedly told Reuters that the ransom was paid by a "very rich unknown philanthropist".

ION Trading UK was originally listed on LockBit's leak site but its information has since been removed. The practice often indicates the victim paid the ransom since there is no need for the cyber criminals to apply public pressure to the victim, encouraging them to pay the ransom demands.

LockBit is the leading ransomware organisation in the world with the most successful attacks confirmed in 2022.

It operates on a double extortion model that involves stealing a victim’s data before encrypting their files. This is so it has leverage during negotiations, forcing the victim to pay the ransom.

IT Pro has contacted both ION Trading UK and the National Cyber Security Centre (NCSC) for comment.

LockBit’s ransomware attack on ION Trading UK

It was first reported that ION Trading - a key software supplier to many of the world’s top financial institutions, including some in the City of London - suffered a cyber attack within its cleared derivatives division on 31 January 2023.

The attack left derivatives traders having to complete various parts of the trading process manually - a rare practice that hasn’t been regularly exercised in decades.

On 2 February, the LockBit ransomware group posted the company to its deep web-based leak site along with a trademark countdown timer due to end on 4 February.

Messages to clients from banks worldwide, seen by Reuters, suggested that ABN Amro Clearing and Intesa Sanpaolo were among those affected.

The London Metal Exchange also told the Financial Times that some of its members relied on ION’s software and the incident was disrupting various services.

A day earlier, the Futures Industry Association (FIA) confirmed that the incident was affecting ION’s clients “across global markets”.

RELATED RESOURCE

An EDR buyer's guide

How to pick the best endpoint detection and response solution for your business

FREE DOWNLOAD

Bloomberg TV reported that in some institutions, programmers were being tasked with rewriting applications in the hope that they could re-enable automated trading while the LockBit-compromised computers were down.

“The cyber attack on the ION Group demonstrates how attackers can use the supply chain to cripple entire industries,” said Ian McShane, vice president at Arctic Wolf.

“By targeting one crucial company at the heart of the network, criminals could have paralysed operations at numerous London financial firms.

“It’s also another demonstration, if that was needed, the need for vendor accountability and ensuring that your supply chain risk is limited or managed appropriately.”

The financial services sector was found to be the most-targeted industry by cyber attacks over the course of 2022.

More than a quarter (28%) of all attacks targeted finance organisations, according to research from Imperva.

LockBit was also behind the attack that heavily disrupted Royal Mail’s international shipping business.

Very few details of the incident have been made public but the NCSC and National Crime Agency are both involved in the investigation.

Originally, LockBit publicly denied the attack although security experts cast doubt on this, given the similarities between the attack on Royal Mail and those relating to the attack on a french Hospital in December 2022.

The RaaS group later confirmed one of its affiliates carried out the attack after finding an advert online.

The ransomware payment dilemma

The NCSC’s official stance on paying ransom demands is to not do so. This is its longstanding view that was reaffirmed in July 2022.

Lats summer, it became aware of a rise in victims paying ransom demands in return for fast recovery of their compromised systems.

A call to solicitors was issued jointly by the NCSC and Information Commissioner’s Office (ICO) to discourage legal counsel from sanctioning payments to cyber criminals.

Instead, lawyers were advised to point their clients towards publicly available advice and promote any necessary changes that would improve their cyber security resilience.

The reason why ransomware has become such a successful business model over the past decade is that the cyber criminals adopting the method almost always win, no matter the scenario’s outcome.

There are two common outcomes of a ransomware attack. The first sees a victim paying the criminals to decrypt their files, and the second sees a victim refusing to pay, restoring systems from backups.

With the hugely popular, more modern double extortion model, ransomware operators often successfully mitigate the latter of these outcomes by first stealing data before encrypting files.

This data is then held for ransom and used as leverage in payment negotiations. Victims are rarely willing to let their clients’ sensitive data, for example, be leaked into the public domain so the incentive to pay is increased.

The double extortion model also presents a win-win scenario for the cyber criminals. If the victim pays, then the criminals are paid for their efforts - the ideal outcome for them.

If the victim refuses to pay, that refusal is public - the criminals gain notoriety because their threats to leak data were genuine, providing a more visceral threat to future victims - one that’s more likely to lead to a payment being made.

The situation is more nuanced when industries critical to the upkeep of the domestic or worldwide economy, for example, are attacked.

Colonial Pipeline’s incident is an example of when a payment was made because, on balance, it was worth paying for the decryptor due to the immense degree of disruption the attack caused.

The fuel shortage that hit the east coast of the US was deemed a situation so severe that it was worth abandoning cyber security best practices - guidance that has always discouraged paying ransomware criminals.

Paying cyber criminals directly funds crime and incentivises the criminals behind it to continue pursuing the method because it works.

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.