LockBit hackers behind ION Breach also hit Royal Mail, Hospital

(Bloomberg) – The hacker group behind a cyber attack on software company ION Trading UK has recently carried out a series of security breaches around the world, with victims including the UK postal service and local government agencies in the US.

Most read by Bloomberg

The gang known as LockBit is a prolific ransomware operator, according to cybersecurity experts, specializing in using malicious software to encrypt files on a victim’s computer and then demanding payment to unlock the files. Earlier this week, an ION system was hit, shutting down derivatives trading in every market from commodities to bonds, forcing a number of European and US banks and brokers to process some trades manually.

The group on Thursday threatened to publish “all available data” it allegedly stole from ION on its website on the dark web unless the derivatives trading platform paid an unspecified ransom by February 4.

UK regulators have launched an investigation into the ION breach, which affected 42 of the company’s clients and forced a number of European and US banks and brokers to manually clear some trades. The FBI is also seeking information about the attack and has contacted ION executives, according to people familiar with the matter.

LockBit’s malware was used in a ransomware attack on the UK’s Royal Mail in January, crippling the service’s ability to send international letters and parcels and rendering some computers there inoperable. In December, an employee of the group hacked a Canadian children’s hospital, only for LockBit to apologize and send the victim a decryption key.

The city of Mount Vernon, Ohio said its police department and other government agencies were affected by a LockBit ransomware attack.

The story goes on

“There is no doubt that we are seeing an increase in activity and LockBit, which has taken responsibility for the ION attack, is one of the most prolific threat actors,” said David Naylor, who leads the privacy, cybersecurity and digital assets practice in the UK heads practice at the law firm of Squire Patton Boggs.

He added: “They clearly tend to focus on organizations that they believe are either vulnerable or running high value systems where there is a reasonable prospect of a significant ransom if the target is ready if the attack is successful.” is to be paid. “

LockBit has been active since at least January 2020 and has hacked up to 1,000 victims worldwide and extorted ransom demands of at least $100 million, according to the US Department of Justice. Last year, a Canadian-Russian man was arrested in Ontario for allegedly participating in a LockBit ransomware campaign. According to cybersecurity experts, the members of the group are also active in Russian-language cybercrime forums.

Like other hacking crews, LockBit operates on the ransomware-as-a-service model, where members lease access to the malware to “partners” in exchange for a reduction in the ransom payment made as a result of the breach.

“They run it like a business, and that’s the best way to explain it,” said Jon DiMaggio, chief security strategist at cyber firm Analyst1. “The founder of LockBit runs it like he’s Steve Jobs, which is successful for them, but very bad news for the rest of us.”

Researchers have also examined LockBit’s hacking tools and found that the group regularly updates its malicious software to avoid detection by cybersecurity products. A malware strain dubbed LockBit Black shows the gang has been experimenting with a type of self-propagating malware that would make it easier for hackers to infiltrate victim organizations without the technical expertise that’s normally required, researchers at Sophos Group Ltd wrote in a blog post.

On Monday, they released a new strain of ransomware based on code adopted from another Russian-speaking gang, Conti, which collapsed last year amid internal fighting, DiMaggio said.

A spokesman for LockBit declined to comment when reached by Bloomberg News.

–Assisted by Isis Almeida and Katherine Doherty.

Most Read by Bloomberg Businessweek

©2023 Bloomberg LP