Ransomware attack on ION Trading shows markets' vulnerability to hackers

In a rare case of a ransomware attack bringing down a segment of the financial services industry, a major derivatives software provider fell victim to a Russia-linked ransomware group last week, and its trading systems only came back online after the threat actor said the company paid the ransom.

Ransomware group LockBit's attack against ION Group's Cleared Derivatives division affected global markets, prompting statements from the Futures Industry Association, a trade organization for futures, options and centrally cleared derivatives markets, and the Commodity Futures Trading Commission in the U.S.

ION confirmed the event in a January 31 statement, saying the incident was "contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing." Since then, the head of the CFTC said the commission is considering tighter cybersecurity regulations to deal with incidents such as the one that affected ION.

LockBit published a threat on its blog last week that it would post the data it stole from ION unless it received a ransom payment by Feb. 4. The group has since removed the threat and said that it received a ransom payment, which threat actors typically do only after they actually have received ransom payment.

A person familiar with the matter said Wednesday that the company was rebuilding its systems in wake of the attack and had retained Crowdstrike to attest to their soundness and security. The person asked not to be identified discussing private information.

ION declined to comment on the ransom and has not provided any public updates on its recovery efforts.

Cleaning up after a ransomware attack can take anywhere from days to months depending on the circumstances, according to Dick O'Brien, principal intelligence analyst at cybersecurity firm Symantec.

ION has provided no public indication of how long it will take to recover but had reportedly completed six out of 33 key recovery steps as of Monday, two days after LockBit removed the threat against the company from its blog.

"LockBit is one of the leading ransomware operations at the moment," O'Brien said. "Attackers using LockBit are usually quite skilled and, when an attack is successful, they will generally make a significant impact on the victim. As ransomware goes, it's definitely on the more serious end of the scale."

Cyber security

How LockBit attackers are infiltrating and extorting banks

The hacker group is threatening to publish personal data from multiple U.S. financial institutions and using known vulnerabilities to get into their systems.

By Carter Pape

March 4

LockBit is among the top five most active ransomware strains, according to Tom Kellermann, senior vice president of cyber strategy for cybersecurity firm Contrast Security. Indeed, it is not the only strain of ransomware that has been active in February. CISA released a script on Tuesday to help companies recover from a type of ransomware that targets a known vulnerability in software from VMWare.

Despite the recent ransomware activity, Kellermann said that the threat financial institutions face from ransomware has gone down in recent years.

"Although these ransomware gangs represented a significant threat to FIs [last year], the number of successful intrusions have diminished due to unprecedented efforts by Europol, the FBI, the U.S. Secret Service and the Cybersecurity and Infrastructure Security Agency in disrupting and degrading the infrastructure, forums and alternative payments associated with these cybercriminals," Kellermann said.

The chairman of the CFTC, Rostin Behnam, said the ION episode shows the importance of strong cybersecurity regulations that ensure risk management practices adequately account for the growing cybersecurity risk.

In prepared remarks during the disruption last week, Behnman said "the industry's necessary and increasing reliance on third-party service providers creates a major source of risk," and he expected the risk to grow as more financial services providers rely on cloud computing and remote access in their work.

"The growth of cybersecurity threats to financial institutions is well-documented and widely recognized as an important and increasingly urgent problem, one the commission is actively dealing with as we sit here today," Behnman said at an American Bankers Association meeting. "As we are experiencing this week, market participants registered with the commission have not been immune to these threats."

The CFTC like other regulators has levied fines against financial companies after cyber events compromised customer information. In 2018, the CFTC fined AMP Global Clearing $100,000 for supervision failures that resulted in customer records being stolen, and in 2019, the commission fined Phillip Capital $1.5 million for a similar incident.

U.S. financial companies regularly practice for a wide range of cyberattack scenarios, but the sector does face a degree of concentration risk, according to Teresa Walsh, global head of intelligence for the Financial Services Information Sharing and Analysis Center.

Walsh said the sector and regulators are focused on the "resilience" of the financial system, including in the supply chain that delivers financial services.

"This is why we see an increased focus by the sector and regulators on third-party risk management and oversight, as well as increased intelligence and information sharing (such as through FS-ISAC's Critical Providers program) to ensure close coordination both on an ongoing basis and in case of attacks," Walsh said.