Hackers who breached ION say ransom paid; company declines comment
Send a link to a friend
 [February 04, 2023]
By Raphael Satter
WASHINGTON (Reuters) -The hackers who claimed responsibility for a
disruptive breach at financial data firm ION say a ransom has been paid,
although they declined to say how much it was or offer any evidence that
the money had been handed over.
ION Group declined to comment on the statement. Lockbit communicated the
claim to Reuters via its online chat account on Friday but declined to
clarify who had paid the money - saying it had come from a "very rich
unknown philanthropist."
The Lockbit representative said there was "no way" it would offer
further details.
The FBI did not immediately reply to a request for comment. Britain's
National Cyber Security Agency, part of Britain's GCHQ eavesdropping
intelligence agency, told Reuters it had no comment.
The ransomware outbreak that erupted at ION on Tuesday has disrupted
trading and clearing of exchange-traded financial derivatives, causing
problems for scores of brokers, sources familiar with the matter told
Reuters this week.
Among the many ION clients whose operations were likely to have been
affected were ABN Amro Clearing and Intesa Sanpaolo, Italy's biggest
bank, according to messages to clients from both banks that were seen by
Reuters.
ABN told clients on Wednesday that due to "technical disruption" from
ION, some applications were unavailable and were expected to remain so
for a "number of days."
It was not clear whether paying the ransom would necessarily speed the
clean-up effort. Ransomware works by encrypting vital company data and
extorting the victims for payoffs in exchange for the decryption keys.
But even if hackers hand over the keys, it can still take days, weeks or
longer to undo the damage to a company's digital infrastructure.
[to top of second column]
|
A man types on a computer keyboard in
front of the displayed cyber code in this illustration picture taken
on March 1, 2017.REUTERS/Kacper Pempel/Illustration/File Photo
There were already signs that Lockbit had reached some kind of an
agreement over ION's data. The company's name was removed earlier
Friday from Lockbit's extortion website, where victim companies are
named and shamed in a bid to force a payout. Experts say that is
often a sign that a ransom has been delivered.
"When a victim is delisted, it most commonly means either that the
victim has agreed to enter negotiations or that it has paid," said
ransomware expert Brett Callow of New Zealand-based cybersecurity
company Emsisoft.
Callow said there was an outside chance that there was some other
explanation for Lockbit publicly backing off.
"It may mean that ransomware gang got cold feet or decided not to
proceed with the extortion for other reasons," he said.
Ransomware has emerged as one of the internet's most expensive and
disruptive scourges. As of late Friday, Lockbit's extortion website
alone counted 54 victims who were being shaken down, including a
television station in California, a school in Brooklyn and a city in
Michigan.
(Reporting by Raphael Satter and Christopher Bing; Additional
reporting by James Pearson in London; Editing by Marguerita Choy,
David Gregorio and William Mallard)
[© 2023 Thomson Reuters. All rights
reserved.]This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content.
 |
