Home / Threat Intelligence bulletins / LockBit ransomware targets City of London

Target Industry



Trading in the City of London has been impacted by a ransomware attack on ION Cleared Derivatives, producers of trading software. ION Group says 42 of their clients have been impacted by a “cybersecurity event” on their systems. The LockBit ransomware blog lists ION software as a recent victim.


The Futures Industry Association (FIA), a trade body, has said they’re working on assessing the full impact but the attack has already impacted the trading and clearing of exchange traded derivatives. A source told Reuters that the attack has put some brokers in a difficult situation and the problem could take another five days to fix. Another described it to The Telegraph as a “major incident” that “would take out most of the City if it were to escalate”. LockBit is a “double extortion” gang, known to steal data for blackmail as well as just disrupting operations. This data theft could lead to sensitive data from ION’s customers being published or abused for further access.


The company published a statement: “ION Cleared Derivatives, a division of ION Markets, experienced a cybersecurity event commencing on 31 January 2023 that has affected some of its services. The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing. Further updates will be posted when available.”

Threat Group

LockBit is one of the most prominent ransomware groups. Russian speaking, and operating within office hours of UTC+3 (Moscow time), they’re believed to be based in Russia, with some level of state approval. They use a Ransomware-as-a-Service (RaaS) model, recruiting affiliates who would otherwise lack the capabilities to carry out attacks using their infrastructure in exchange for a share of the ransom. In 2022, LockBit was responsible for approximately 40% of ransomware related data leaks against financial institutions.

Threat Landscape

The financial sector is a valuable target for criminal networks due to the vast amounts of sensitive data which can be abused for financial gain. Nation-states may target attacks to disrupt critical economic services. The Russian state would have motivation to conduct an attack like this as retaliation for sanctions, however, there’s no public evidence linking them to this attack. Another ransomware group, Corp Leaks, is known to concentrate their activity around the financial sector. Most notably, the group notoriously targeted Cottonwood Financial Inc., as recently as September 2022, demanding a ransom of $1.5 million for stolen data.

Mitre Methodologies

T1005 – Data from Local System

T1021.001 – Remote Services: Remote Desktop Protocol

T1059.001 – Command and Scripting Interpreter: PowerShell

T1059.003 – Command and Scripting Interpreter: Windows Command Shell

T1059.007 – Command and Scripting Interpreter: JavaScript

T1078 – Valid Accounts

T1082 – System Information Discovery

T1098 – Account Manipulation

T1105 – Ingress Tool Transfer

T1133 – External Remote Services

T1140 – Deobfuscate/Decode Files or Information

T1190 – Exploit Public-Facing Application

T1195 – Supply Chain Compromise

T1486 – Data Encrypted for Impact

T1489 – Service Stop

T1497 – Virtualisation/Sandbox Evasion

T1498– Denial of Service

T1498.001 – Denial of Service: Direct Network Flood

T1574.002– Hijack Execution Flow: DLL Side-Loading

T1587.002 – Develop Capabilities: Code Signing Certificates

Further Information

Cleared Derivatives Cyber Event

FIA comments on ION Group cyber incident

Ransomware attack on data firm ION could take days to fix