LockBit gang confirms Ion cyber attack as disruption continues
The LockBit ransomware cartel has confirmed it is behind the cyber attack on financial software supplier Ion Group, which has caused chaos in the City of London and left multiple clients, including the likes of ABN Amro and Intesa Sanpaolo, locked out of critical applications.
In a note posted to LockBit’s dark web leak site, shared with Computer Weekly by sister title LeMagIT, the gang said it would publish all available data obtained from Ion on Saturday 4 February at 7:25am.
Ion itself has made no further comment on the attack. In its initial statement the organisation said: “The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing. Further updates will be posted when available.”
However, according to Reuters, sources with knowledge of the situation said the issues affecting traders at Ion’s various clients could take up to five days to fix, with knock-on effects on financial markets likely.
One major immediate impact has been in the US, where regulator Commodity Futures Trading Commission (CFTC) said that the disruption was affecting some of its members’ ability to provide it with timely and accurate data.
“As this incident unfolded, it became clear that the submission of data that is required by registrants will be delayed until the trading issues are resolved. As a result, the weekly Commitments of Traders report that is produced by CFTC staff will be delayed until all trades can be reported. A report will be published upon receipt and validation of data from those firms,” it said.
The CFTC added that many reporting firms affected by the ransomware attack do not have enough information to fully prepare daily trading reports required by law – they are therefore to use “best estimates” in preparing them, and to file revised reports once services resume.
Jonathan Knudsen, head of global research at the Synopsys Cybersecurity Research Centre, commented: “Software is the critical infrastructure for all other critical infrastructure. The attack on Ion illustrates not only the interconnected nature of the financial system, but also a crucial dependence on software.
“Every piece of software is, in essence, an incredibly complicated machine. To secure such a machine against attack, builders and buyers alike must examine the entire supply chain of infrastructure, tools, open source components, source code and configurations in a ceaseless quest to locate and mitigate vulnerabilities.
“When an incident occurs, such as the Ion attack, existing processes must be examined to understand what went wrong and how the processes can be improved to reduce risk in the future,” he added.
New options for LockBit affiliates
Meanwhile, earlier this week, the operators of the LockBit franchise expanded the range of ransomware available to their affiliates.
In a screenshot of the group’s affiliate interface, shared on Twitter by vx-underground, LockBit highlights one option for Linux/ESXI systems, and three for Windows systems, LockBit Red, also known as LockBit 2.0; LockBit Black, believed to be derived from BlackMatter code; and the new LockBit Green.
A LockBit operator told vx-underground that the source code for LockBit Green – samples of which have already been seen in the wild – was based on that of its antecedent Conti.
Conti notably ended its operations after initially declaring its support for the Russian government in its war on Ukraine, prompting a revolt among gang members, one of whom leaked Conti’s data, including its source code.
The operator claimed they wanted to become the “top gang in the world” and eliminate their competition. They hinted that they are working on other additions to LockBit’s ransomware locker line-up.