ION Removed From Hacker’s Target List and Deadline for Ransom Suspended

Ryan Gallagher and Margi Murphy, Bloomberg News

(Bloomberg) -- The hacking group behind the attack on ION Trading UK — the software firm that was struck by a cyberattack earlier this week, upending derivatives trading around the world — says a ransom has been paid.

The announcement came a day before the group, called LockBit, threatened to release stolen files from ION unless the extortion payment was made. An ION representative declined to comment.

A representative for the group told Bloomberg News that the ransom was paid and that the gang provided a decryption key to unlock the compromised computers.

The representative didn’t identify who paid the money or the amount that was paid.

Earlier Friday, the timer that LockBit had posted on its website, counting down to a Feb. 4 deadline by which it was demanding ransom from Ion, had been “stopped,” the site showed.

The FBI declined to comment about LockBit’s claim that the ransom was paid.

Ransomware is a type of cyberattack in which a victim’s files are encrypted, in lieu of a ransom payment to unlock them. Many ransomware operators also steal files first and then threaten to release them on their dark web pages, or leak sites, if a ransom isn’t paid.

“Typically, ransomware groups use leak sites to put pressure on the victims to pay,” said Wendi Whitmore, senior vice president and head of Unit 42 at Palo Alto Networks Inc.“Sometimes, the brand reputation risk is enough to coerce the victims to pay the ransom and remove their listing off the leaksite. More often than not, once an organization pays the ransom, they’re removed from the leak site.”

However, Whitmore said there can be other reasons why hackers change their minds and pull down companies from leak sites.

Drew Schmitt, principal threat intelligence analyst at GuidePoint Security, said many hackers go through “levels of pressure” with victim organizations.

“In many circumstances, there are the initial conversations where they prove they have your data, and then threaten to post it to their leak site,” he said. “Before fully posting the victim’s data to the leak site, they will first post their name only. In this circumstance, if the client then paid the ransom payment, their name would be removed from the site and nothing further would likely be posted.

“Similarly, if the name and data were posted and then the ransom was paid, their name and information would be removed from the site,” Schmitt said.

But he added, “It’s more or less impossible for us to determine the exact reason why something would be taken down from their site.”

LockBit is among the most prolific ransomware gangs, and its malware was used in attacks against the UK’s Royal Mail in January, shuttering its ability to send international letters and parcels. LockBit has been active since at least January 2020 and has hacked as many as 1,000 victims globally, extorting at least $100 million in ransom demands, according to the US Justice Department.

The attack on ION Trading began early Tuesday and affected 42 of its clients and ultimately forced some European and US banks and brokers to process some trades manually. The FBI is seeking information about the attack and has reached out to ION executives, according to people familiar with the matter.

Like ION, Bloomberg LP, the parent company of Bloomberg News, provides financial institutions with execution management solutions, connectivity to electronic markets and trading tools.

--With assistance from William Turton and Katherine Doherty.

(Adds no comment from FBI in sixth paragraph.)