LockBit hackers behind ION Breach also hit Royal Mail and hospital

(Bloomberg) — The hacking group behind a cyberattack on software company ION Trading UK recently carried out a series of attacks around the world, with victims including the UK Postal Service and government agencies. local in the United States.

Bloomberg’s Most Read

The gang, known as LockBit, is a prolific operator of ransomware, according to cybersecurity experts, specializing in using malware to encrypt files on a victim’s computer and then demanding payment to unlock the files. Earlier this week it hit an ION system that crippled derivatives trading in all markets, from commodities to bonds, forcing a number of European and US banks and brokers to process some trades manually.

The group threatened on Thursday to release “all available data” it claims to have stolen from ION on its dark web website unless the derivatives trading platform pays an unspecified ransom by the 4 FEBRUARY.

UK regulators have opened an investigation into the ION breach, which affected 42 of the company’s customers and forced a number of European and US banks and brokers to process some transactions manually. The FBI is also seeking information about the attack and has contacted ION executives, according to people familiar with the matter.

LockBit’s malware was used in a ransomware attack on Britain’s Royal Mail in January, blocking the service’s ability to send international letters and parcels and rendering some computers inoperable. In December, an associate of the group hacked into a Canadian children’s hospital, only for LockBit to apologize and send the victim a decryption key.

The city of Mount Vernon, Ohio said its police department and other government agencies were hit by a LockBit ransomware attack.

“There is no doubt that we are seeing an increase in activity and LockBit, which claimed responsibility for the ION attack, is one of the most prolific threat actors,” said David Naylor, who leads data privacy, cybersecurity and digital assets in the UK. practice at the law firm of Squire Patton Boggs.

He added: “Obviously they tend to focus on organizations that they think are vulnerable or exploiting high value systems, where if they succeed in attacking them there is a significant prospect of getting a large ransom – if the target is willing to pay. “

LockBit has been active since at least January 2020 and has hacked up to 1,000 victims worldwide, extorting at least $100 million in ransom demands, according to the US Department of Justice. Last year, a Canadian-Russian man was arrested in Ontario for allegedly participating in a LockBit ransomware campaign. Members of the group are also active on Russian-language cybercriminal forums, according to cybersecurity experts.

Like other hacking teams, LockBit operates under the ransomware-as-a-service model, in which members rent access to malware to “affiliates” in exchange for a reduction in any resulting ransom payment. the violation.

“They run it like a business, and that’s the best way to explain it,” said Jon DiMaggio, chief security strategist at cyber business Analyst1. “LockBit’s founder runs it like he’s Steve Jobs, which is great news for them but really bad news for the rest of us.”

The researchers also studied LockBit’s hacking tools, determining that the group regularly updates its malware to avoid detection by cybersecurity products. A strain of malware, dubbed LockBit Black, shows the gang experimented with a sort of self-spreading malware that would make it easier for hackers to infiltrate victim organizations without the technical expertise typically required to do so, the researchers wrote. Sophos Group Ltd. in a blog post.

On Monday, they released a new strain of ransomware based on code from another Russian-speaking gang, Conti, which collapsed amid infighting last year, DiMaggio said.

A LockBit spokesperson declined to comment when contacted by Bloomberg News.

–With help from Isis Almeida and Katherine Doherty.

Bloomberg Businessweek’s Most Read

©2023 Bloomberg LP

Leave a Reply