Get in Touch
LockBit ransomware targets City of London
Target Industry
Finance.
Overview
Trading in the City of London has been impacted by a ransomware attack on ION Cleared Derivatives, producers of trading software. ION Group says 42 of their clients have been impacted by a “cybersecurity event” on their systems. The LockBit ransomware blog lists ION software as a recent victim.
Impact
The Futures Industry Association (FIA), a trade body, has said they’re working on assessing the full impact but the attack has already impacted the trading and clearing of exchange traded derivatives. A source told Reuters that the attack has put some brokers in a difficult situation and the problem could take another five days to fix. Another described it to The Telegraph as a “major incident” that “would take out most of the City if it were to escalate”. LockBit is a “double extortion” gang, known to steal data for blackmail as well as just disrupting operations. This data theft could lead to sensitive data from ION’s customers being published or abused for further access.
Statement
The company published a statement: “ION Cleared Derivatives, a division of ION Markets, experienced a cybersecurity event commencing on 31 January 2023 that has affected some of its services. The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing. Further updates will be posted when available.”
Threat Group
LockBit is one of the most prominent ransomware groups. Russian speaking, and operating within office hours of UTC+3 (Moscow time), they’re believed to be based in Russia, with some level of state approval. They use a Ransomware-as-a-Service (RaaS) model, recruiting affiliates who would otherwise lack the capabilities to carry out attacks using their infrastructure in exchange for a share of the ransom. In 2022, LockBit was responsible for approximately 40% of ransomware related data leaks against financial institutions.
Threat Landscape
The financial sector is a valuable target for criminal networks due to the vast amounts of sensitive data which can be abused for financial gain. Nation-states may target attacks to disrupt critical economic services. The Russian state would have motivation to conduct an attack like this as retaliation for sanctions, however, there’s no public evidence linking them to this attack. Another ransomware group, Corp Leaks, is known to concentrate their activity around the financial sector. Most notably, the group notoriously targeted Cottonwood Financial Inc., as recently as September 2022, demanding a ransom of $1.5 million for stolen data.
Mitre Methodologies
T1005 – Data from Local System
T1021.001 – Remote Services: Remote Desktop Protocol
T1059.001 – Command and Scripting Interpreter: PowerShell
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1059.007 – Command and Scripting Interpreter: JavaScript
T1078 – Valid Accounts
T1082 – System Information Discovery
T1098 – Account Manipulation
T1105 – Ingress Tool Transfer
T1133 – External Remote Services
T1140 – Deobfuscate/Decode Files or Information
T1190 – Exploit Public-Facing Application
T1195 – Supply Chain Compromise
T1486 – Data Encrypted for Impact
T1489 – Service Stop
T1497 – Virtualisation/Sandbox Evasion
T1498– Denial of Service
T1498.001 – Denial of Service: Direct Network Flood
T1574.002– Hijack Execution Flow: DLL Side-Loading
T1587.002 – Develop Capabilities: Code Signing Certificates
Further Information
Cleared Derivatives Cyber Event