A ransomware attack on software firm ION Trading UK that affected 42 clients and sent ripples through markets has forced numerous European and US banks and brokers to process derivatives trades manually.
“ION Cleared Derivatives, a division of ION Markets, experienced a cybersecurity event commencing on 31 January 2023 that has affected some of its services. The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing” the company said.
Russian ransomware gang LockBit is responsible for the attack, according to correspondence from ION seen by Bloomberg that has been confirmed by company representatives. ION has told customers it expects to be back up and running within two to three days – a sign either that it is paying the ransom rapidly or is confident in its ability to rebuild the affected servers and restore from clean backups without further incident.
(The UK NCA’s National Cyber Crime Unit says that ransomware has evolved from a niche cyber crime problem to a national security issue “in a short period of time” with the Cabinet Office adding this week in a submission to MPs that “The key to combating ransomware is better cyber resilience. [Poor] cyber hygiene… is the cause of the vast majority of cyber attacks. People and organisations are not getting the basics right – poor configuration of devices and networks, poor patching of software, default passwords, and weak passwords.”)
ION ransomware attack: No visibility into initial vector yet
ION Trading UK has yet to share any indicators of compromise (IOCs) publicly. LockBit, like most threat actors, typically takes a number of routes -- and the one of least resistence -- to breach an organisation and install the ransomware payload, including phishing emails, brute-forcing an organization’s intranet servers and network systems or exploiting unpatched software that contains security vulnerabilities. The ransomware group has also previously boasted of users insiders to attack systems, including in a 2021 attack on consultancy Accenture.
The ION ransomware attack is a stark reminder of the persistence of the ransomware threat. Written evidence from scores of organisations and companies submitted to Parliament’s joint committee on National Security Strategy and published this week drove home the extent of the ongoing risk posed by such malware.
They also shared important lessons. Systems integrator DXC for example wrote of “the lived experience of our own ransomware attack in 2020, and by the lessons we have learned to keep our supply chain protected.”
(After a ransomware attack on July 4, 2020 on a subsidiary of DXC, Xchanging, the company was able to “fully clean and restore the impacted environment” over a single weekend: “Critical to our success was our early engagement of the appropriate authorities and of our customers” DXC said in its written submission.)
Ransomware lessons from the "lived experience" of an attack
It added: “Too often, companies suffer ransomware attacks and engage with the attackers whilst withholding the fact from the authorities and their customer base. Legal counsel often advises this caution. Transparency is vital for creating trust for the wider supply chain and ensures that other companies can learn best practice…”
DXC President of Security, Mark Hughes, wrote a blog shortly after the incident outlining five key lessons:
- "Know your infrastructure. Ensure all networks and firewalls have enterprise security tools in place to detect malicious behaviour. We were attacked using “Cobaltstrike”, a publicly available security testing tool. Knowing our infrastructure ensured that we were able to quickly detect when something was not right and identify where the network was compromised.
- Involve senior leadership from the outset. We are an international company, spread across over 70 countries. To take rapid action, we would need to deploy staff in both the United Kingdom and India and engaging leadership teams was naturally critical. Good and tested governance, accountability, and clarity was essential, and our CEO, Mike Salvino, and Mark Hughes were involved at all appropriate steps.
- Engage authorities and experts early. The attack took place on a holiday weekend (Independence Day). We had identified that the ransomware threat actor was utilising website domains in the United States to facilitate the attack. Good relationships ensured that we were able to contact law enforcement officials working on the holiday weekend, and we obtained a court order to take control of the attackers’ internet domains by that evening.
- Gain leverage and do not pay. Our attackers wanted to negotiate; often, they will ask for money upfront in difficult to trace payments (cryptocurrency). We identified our strengths early: we knew we had stopped the attack; we knew they did not have our data, and we knew we had backups.
- Be transparent. Openness is good practice. We shared details of the attack with hundreds of customers worldwide as well as several authorities in different jurisdictions. Medium to long-term, this has ensured that we continue to be regarded as a trustworthy and sincere company. In the short-term, it enabled us to move openly. An attack over a weekend is problematic; over a holiday weekend and it could have been critical. At the time, the average ransomware attack takes down critical systems for 16 days. Our transparency enabled us to move quickly, and it was resolved in time for markets to open on Monday."
Amid ongoing debate about whether paying ransoms should be criminalised however -- with government bodies like the ICO warning that paying ransoms supports cybercrime and does not mitigate risk -- Global law firm Norton Rose Fulbright LLP this week told Parliament in strikingly blunt testimony that “our experience, which is reflected in published research, suggests that payment of ransom does in the majority of cases prevent publication of data stolen by third parties, and often leads to stolen data being removed from third-party hands.
“It also usually leads to the provision of decryption keys which can be used to restore encrypted data where necessary (most notably, where backups are unavailable). This in turn mitigates risk to individuals whose data would otherwise have been published, sold or otherwise made available to potentially malicious third parties, or whose data would have remained inaccessible for the use of decryption keys” the lawfirm said.
It added in response to warnings over the summer from the UK Information Commissioner’s Officer (ICO) that paying a ransom does not reduce or mitigate risk that “While it is not our role to encourage, endorse or condone the payment of ransom, we feel it is incumbent on us to ask that point be corrected by the ICO so that all stakeholders are provided with an evidence-based understanding of the competing risk considerations relating to the payment of ransom and the protection of individuals impacted by personal data breaches.”