Unlocking the Truth: An Inside Look at the ION Ransomware Attack

A financial software company fell victim to a cyber attack, forcing traders to do the unthinkable: physically write things down and make actual phone calls. Eugene Yiga spoke to several cybersecurity experts to find out what happened and how it could impact you next

ION is on a mission to reinvent the way business is done through automation technology. According to its website, this means helping you “improve decision-making, increase efficiency, simplify complex processes and empower your people”. Perhaps somewhat ironically, none of that was possible when the company suffered a cyber attack earlier this year.

“On 1 February 2023, ION was targeted by LockBit ransomware,” explains Bill Reyor, senior incident detection engineer at Blumira. “LockBit, a cyber criminal group, locks up a company’s data and demands payment to unlock it. They also warn that they will release the confidential data they’ve stolen unless the money is paid within a certain period.”

This cyber attack significantly impacted ION’s cleared derivatives platform, a tool many banks, brokerages, and hedge funds use. Customers were unable to process their transactions, which had a financial impact on ION and several EU and US trading operations. ION worked closely with its clients to get the platform back up and running, and some exchanges and clearing houses even provided extra time to meet deadlines. But it was still a scramble.

“Organisations trading in derivatives had to quickly identify and implement alternative strategies to continue doing business, which had an absolute impact on financial markets,” says Mike DeNapoli, cybersecurity architect and director at Cymulate. “The Futures Industry Association and Bloomberg noted that upwards of 40 different companies slowed operations and/or were forced to resort to manual operations to process trades.”

Own goals

The specifics of how the systems were breached are private. Still, Russian-linked LockBit commonly uses phishing emails and remote access attacks or existing system vulnerabilities to infiltrate a company’s network.

Once they’re in, they use various tools to move around the network undetected, steal login information, and gain more control. They then activate the ransomware, which locks the files on the affected computers and presents a demand for money.

“Ransomware programmes are usually disguised as or bundled with ordinary programmes/media so that victims often end up opening these files themselves,” says Joshua Weiss, CEO of TeliApp.

“The ransomware is primarily spread through untrustworthy freeware and third-party websites, online scams, phishing, spam, and more. In an overwhelming majority of ransomware incidents, the attacks can be traced to a person clicking on a file downloaded from an email the hackers sent.”

You’re only as secure as your most insecure third-party

While the attack against ION targeted a company within the financial industry’s supply chain, it wasn’t a conventional third-party or supply chain attack. In a typical third-party attack, a company faces a direct threat due to a vulnerability in a third-party service they use or integrate into their operations. For instance, if a hacker breaches an organisation by exploiting a vulnerability in its Microsoft Office account, that would be a genuine third-party attack.

“Organisations trading in derivatives had to quickly identify and implement alternative strategies to continue doing business, which had an absolute impact on financial markets” Mike DeNapoli

“In this [ION] situation, the hackers managed to shut down a critical tool for many financial institutions and indirectly cause a major disruption to their businesses,” says Alex Spivakovsky, VP of Research at Pentera. “However, it doesn’t appear that the end users’ organisations were ever in danger from a cybersecurity perspective. The key takeaway here is that you need to prioritise your security and can’t take anything for granted. Hackers don’t care how they infiltrate your organisation and don’t get bonus points for style. This could just have easily been a true third-party attack scenario. And if you aren’t sure how your third-party software is secured, you can’t be confident in your security posture.”

Indeed, while the U.S. Treasury asserted that the incident didn’t pose a systemic risk to the financial sector, it underscores the critical need for robust and comprehensive cybersecurity measures across the industry.

“The ransomware attack against ION shows how criminals continue to pick off targets that don’t have adequate cybersecurity countermeasures in place considering their criticality,” says Andrew Robinson, co-founder and CSO of 6clicks. “Whilst the largest organisations like banks have made large investments in cybersecurity, it’s difficult for them and regulators to ensure every player in the supply chain has suitable protection.”

Know your treasure

Companies often fail to thoroughly assess their third-party partners’ cybersecurity posture and ensure that they adhere to the same security standards and protocols that they themselves do. It can create weak links in the cybersecurity chain, allowing cyber criminals to exploit vulnerabilities in third-party systems and gain unauthorised access to a company’s data or systems. This is why companies must conduct comprehensive due diligence on third-party vendors, assess their cybersecurity capabilities, and establish robust contracts and agreements that clearly define security expectations and responsibilities. They should also regularly monitor and audit third-party cybersecurity practices to ensure compliance.

“One of the most critical errors in a company’s cyber resilience efforts is failing to recognise the significance of digital assets and data,” says Ahsan Siddiqui, director of product management for Arcserve. “This includes intellectual property, customer data, and proprietary information. This lack of awareness can lead to inadequate protection measures, such as weak passwords, outdated software, and insufficient access controls, which exposes the company to cyber threats. Companies should conduct thorough risk assessments to identify their most critical assets and data, understand their vulnerabilities, and implement robust security measures to strengthen them. These measures should include regular monitoring, patching, and updating systems and software and implementing strong authentication mechanisms and encryption protocols.”

Test your playbook

More key areas to strengthen cyber resilience involve following the requirements of relevant legislation and regulations, looking to international standards like ISO/IEC 27001 to put in place security management practices, and investing in security controls like backup, anti-malware including application control, and logging and monitoring to ensure a swift response.

“Ransomware attacks continue since it is relatively easy for the criminals to perpetrate, and there is a high probability payout for them, as in the ION case” Sai Huda

“Due to increasingly sophisticated and relentless cyber adversaries, a proactive, vigilant and adaptable approach to cybersecurity has never been more important,” says John Ayers, VP of offensive security at Cyderes. “Regular software updates and patching, comprehensive staff training on phishing threats, regular data backups, strong access controls and network segmentation, and ongoing cybersecurity audits and risk assessments are all crucial for maintaining cyber resilience. Lastly, regular tabletop and wargaming exercises aligned to best practices will help test response capabilities in the event of a ransomware attack.”

Even though security controls should incorporate some form of artificial intelligence or machine learning to keep up with the deluge of attacks facing every industry, the continued growth of cyber-related attacks on critical infrastructure makes it impossible to rely on technology alone. Without a dedicated team whose sole priority is developing cybersecurity training and defence mechanisms, you cannot minimise your organisation’s vulnerability and risk.

“Historically, cybersecurity has been viewed either as a subset of IT, an insurance requirement, or both,” Weiss says. “But this is simply not the world we live in. Rather, cybersecurity is its own separate department. Promoting a cybersecurity culture is now required for any organisation’s cyber defence. That culture, permeating all levels of an organisation, can only be possible with dedicated, ongoing cybersecurity training for all team members with access to technology infrastructure.”

Ransom? What ransom?

LockBit claims ION paid the ransom, but of course, they will not officially say what that ransom was. ION has also declined to comment, so there’s no definite information as to the extent of the attack or the data sources that were impacted by it. This means that its customers may never know the true extent of the incursion, what data may have been stolen, or whether the situation is truly resolved.

“Ransomware attacks continue since it is relatively easy for the criminals to perpetrate, and there is a high probability payout for them, as in the ION case,” says Sai Huda, founder and CEO of CyberCatch. “It’s time that both suppliers and their large customers partner to simulate a ransomware attack emanating from the supplier or supply chain to test incident prevention, detection, and response capability. It will reveal gaps and blind spots, and action can be taken to mitigate risk proactively.”

Ultimately, the ION ransomware attack should be a wake-up call for suppliers to larger companies as well as the larger companies themselves. Criminals will continue focusing on sectors where money is handled and try to hide in the large volume of transactions. And as dependency on digital systems grows, organisations must constantly re-evaluate what’s at stake. Moreover, as adversaries continue to increase their speed and effectiveness, companies must continually evolve their protection and supply chain protection.