ION ransom has been paid, says LockBit

Money came from a "philanthropist"

LockBit hackers say ransom demanded from ION has been paid

Image:
LockBit hackers say ransom demanded from ION has been paid

The LockBit ransomware group, which claimed responsibility for last week's attack on financial software business ION Trading UK, says it has received the ransom it demanded.

A representative for the gang told Reuters that it has now delivered a decryption key to ION to unlock the infected machines.

The hackers did not specify the amount or provide any evidence that the money had been transferred. They also refused to divulge who paid the money, but did say it came from a "very rich unknown philanthropist."

LockBit had threatened to publish material stolen from ION if the extortion payment was not paid by 4th February.

In its initial statement on the cyberattack ION said, "The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing. Further updates will be posted when available."

ION Group offers software and services for financial trading and workflow automation.

There were already indications that LockBit and ION had reached a deal over the stolen data. On Friday, LockBit removed the company's name from the extortion website it uses to name and shame victims in an attempt to force a settlement. According to experts, this is often a sign that a ransom has been paid.

The FBI did not respond to LockBit's claim that it has received the ransom.

The ransomware attack on ION has impacted trading and clearance of exchange-traded financial derivatives, causing issues for a number of brokers. According to Reuters, ABN Amro Clearing and Intesa Sanpaolo, Italy's largest bank, were among the many ION customers whose operations have been impacted.

On Wednesday, ABN informed customers that some applications were down and were expected to remain so for several days due to a "technical interruption."

US regulator Commodity Futures Trading Commission (CFTC) said the incident was impacting some of its members' capacity to provide timely and accurate data.

"As this incident unfolded, it became clear that the submission of data that is required by registrants will be delayed until the trading issues are resolved. As a result, the weekly Commitments of Traders report that is produced by CFTC staff will be delayed until all trades can be reported. A report will be published upon receipt and validation of data from those firms."

While ION has refused to comment on the hackers' claim, cybersecurity experts warn that paying a ransom is not a magic solution to restore systems. Rather, the recovery could take several days or even months.

Ransomware has emerged as one of the most costly and disruptive issues for companies worldwide in recent years. As well as encrypting a victim's data in exchange for a ransom payment, many ransomware groups also exfiltrate data and threaten to publish it online as an extra incentive to pay up.

Russia-linked LockBit is one of the most active ransomware groups. It has been linked to the recent Royal Mail attack, as well as past attacks on hospitals, municipal governments and the port of Lisbon.

LockBit's extortion website alone had 54 victims as of late Friday, including a television station in California, a school in Brooklyn and a community in Michigan.