ION’s Woes Far From Over Even If It Paid Ransom, Experts Say

(Bloomberg) -- The hackers behind the recent ransomware attack on ION Trading UK, which upended derivatives trading around the world, claim the extortion payment was paid.

Most Read from Bloomberg

• Meta Asks Many Managers to Get Back to Making Things or Leave

• Quake Toll Hits 4,000 in Turkey, Syria as Overseas Aid Flows

• Trump Charges in Georgia Over 2020 Could Lead to Bigger Fed Case

• Powell Says Further Rate Hikes Needed and Markets Take Heed

• Wall Street Goes Risk-On Without Powell’s Pushback: Markets Wrap

While ION Trading has declined to comment on the hackers’ claim, cybersecurity experts say paying a ransom isn’t a magic bullet that automatically restores computer systems. Rather, the recovery drag on for months, they said.

“You might get the decryption key quickly, but depending on how many systems were affected it can take weeks to months to get everything working properly again,” said Lou Steinberg, founder of CTM Insights, a cybersecurity research firm.

If a ransom is paid, the hacking group is supposed to provide a key to unlock the files. Computer servers that have been encrypted by ransomware often need to have their files decrypted one by one, which can take days or weeks, according to cybersecurity experts. And once a machine has had its data decrypted, that machine is no longer trusted and needs to be wiped and completely rebuilt. The process with PCs is typically faster.

“It is not just a matter of restoring the files,” said Allan Liska, a ransomware expert for the cybersecurity firm Recorded Future Inc. “You also have to go through every machine to ensure the attacker didn’t leave tools behind that could help them reconnect to the network and carry out another attack.”

Once a company has paid a ransom, other ransomware groups may try to exploit weaknesses in its IT systems to extort them again, Liska added. As a result, ransomware victims may want to overhaul their technical architecture to ensure they are watertight.

ION Trading’s representative didn’t respond to a message Saturday seeking comment. It’s not clear how many of ION’s devices or servers were compromised in the attack.

Ransomware is a type of malware the locks up a victim’s files, and the hackers demand payment to provide an encryption key. The group behind the ION hack, LockBit, also steals files from victims and threatens to release them unless a payment is made by a certain deadline.

The Federal Bureau of Investigation discourages victims from paying ransom to hackers. The UK’s National Cyber Security Centre has warned against paying ransoms too. “There is no guarantee that you will get access to your data” after paying, the agency said.

Paying a ransom “does not insulate that company from future attack,” said Lizzie Cookson, director of incident response at Coveware, a ransomware response company, speaking generally about the attacks. She added that paying a ransom doesn’t guarantee a victim that their data won’t be published.

The attack against ION began early Tuesday and affected 42 of its clients. It ultimately forced some European and US banks and brokers to process some trades manually, effectively setting them back decades. The FBI has reached out to ION executives about the attack.

LockBit had set a deadline of Saturday for ION to pay the ransom, and it posted the company’s name on its dark web “leak site” alongside a timer showing when the deadline expired. The ION post was taken down Friday, and a representative for the gang said the ransom was paid, without disclosing the amount or who paid the bill.

Bloomberg couldn’t independently verify that the extortion payment was made.

A ransomware attack on Ireland’s public-health system in March 2021 showed the complexity of restoring systems even with a decryption key. A notorious gang called Conti was behind the hack, which ended up compromising systems that 54 hospitals and about 4,000 other locations needed to operate vital equipment.

The attack caused some uneasiness in Conti’s ranks, and the gang ended up provided the decryption key for free. About 3,600 servers and 40,000 desktop computers had been compromised and it took between five minutes and an hour to decrypt a single device. A month after the attack, the public health agency had recovered about half the servers.

--With assistance from Jordan Robertson, Ryan Gallagher and David Voreacos.

Most Read from Bloomberg Businessweek

• Lab-Grown Meat Has a Bigger Problem Than the Lab

• Why Companies Are Setting Prices Wrong, and How to Do It Right

• That Zoom Meeting Really Could Have Been a Simple Phone Call

• ChatGPT Gets an MBA

• Activists Return to Big Attacks With $400 Billion Chase List

©2023 Bloomberg L.P.