ION Trading UK Experienced Ransomware Attack, All Servers Disconnected

Illustration of ransomware attacks locking servers. (photo: twitter abnamro)

JAKARTA - The ransomware attack that hit ION Trading UK could take days to fix. This makes it impossible for some brokers to process derivative trades

ION Group, the holding company of the financial data company, said in a statement on its website that the attacks began on Tuesday, January 31.

"The incident was loaded into a specific environment, all affected servers were disconnected and service fixes are ongoing," ION Group said, declining requests for further comment.

Ransomware is a form of malicious software used by criminal gangs that work by encrypting data, with hackers offering victims keys in exchange for payment. Such ransom demands could amount to millions of dollars. Officials in the US and Europe are now monitoring the disturbance.

"We are aware of this ongoing incident and we will continue to work with our partners and affected companies," the UK's Financial Conduct Authority (FCA) and Prudential Regulatory Authority (PRA) said on Thursday, 2 February.

The Federal Bureau of Investigation (FBI) told Reuters it was also aware of the hack, although it declined to comment further. Bloomberg News also reports that the FBI has contacted Ion executives about the incident.

Among ION's many clients whose operations are likely to be affected are ABN Amro Clearing and Intesa Sanpaolo, Italy's largest bank, according to messages to clients from both banks seen by Reuters.

The Futures Industry Association (FIA) said problems at ION had affected the trading and clearing of exchange-traded financial derivatives, although there were no reports of margin problems in financial markets.

ABN told clients on Wednesday 1 February that due to "technical glitches" from ION some apps were unavailable and expected to remain so for "a few days". It added that its staff should process trades directly with the exchange.

In response to questions from Reuters, ABN said it was not currently seeing any "relevant disturbances".

"ABN AMRO Clearing has taken appropriate measures to keep its operations safe, including notifying its clients in advance of what may occur," he said in an emailed statement.

Intesa Sanpaolo told clients that brokerage and clearing operations on exchange-traded derivatives had been "significantly hampered" by IT issues at ION and were unable to handle orders.

The bank told Reuters it was waiting for ION to indicate when they could resume "normal and safe" operations, adding that the ransomware attack targeting a trading services company had not affected its own systems.

A source familiar with the matter said the attack put brokers who process complex over-the-counter trades involving products such as options in a difficult situation and the problem could take another five days to fix.

Lockbit said it would publish the stolen data on February 4 if ION Group failed to pay the ransom, according to a screenshot of the group's blog on the dark web at darkfeed.io, a website that tracks ransomware groups.

“Lockbit ransomware has been detected worldwide, with organizations in the United States, India, and Brazil being their targets,” said cybersecurity firm Trend Micro.

Trend Micro describes the group, which some cybersecurity experts say has members in Russia, as one of the most professional organized criminal gangs in the underworld.

The UK's National Cyber ​​Security Service (NCSC), part of the UK's GCHQ eavesdropping intelligence agency, said it had no immediate comment when contacted by Reuters.