© Reuters. FILE PHOTO: A man types on a computer keyboard in front of cyber code shown in this illustrative image taken March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo
By Raphael Satter
WASHINGTON (Reuters) – Hackers who claimed responsibility for the disruptive breach at financial data firm ION say a ransom was paid, though they declined to say how much it was or offer any proof the money was delivered. .
ION Group declined to comment on the statement. Lockbit reported the claim to Reuters via its online chat account on Friday, but said it would “by no means” provide details. The FBI did not immediately respond to a request for comment. Britain’s National Cyber Security Agency (NCSC), part of Britain’s GCHQ spy intelligence agency, told Reuters it had no comment.
The ransomware outbreak that broke out at ION on Tuesday has disrupted trading and clearing of exchange-traded financial derivatives, causing problems for dozens of brokers, sources familiar with the matter told Reuters this week.
Among the many ION clients whose operations were likely affected were ABN Amro Clearing and Intesa Sanpaolo (OTC:), Italy’s largest bank, according to messages to clients of both banks seen by Reuters.
ABN told customers on Wednesday that due to ION’s “technical outage”, some apps were unavailable and were expected to remain unavailable for a “number of days”.
It’s unclear whether paying the ransom would necessarily speed up the cleanup effort. The ransomware works by encrypting vital company data and extorting money from victims in exchange for decryption keys. But even if hackers hand over the keys, it can still take days, weeks, or longer to undo the damage to a company’s digital infrastructure.
There were already signs that ION and Lockbit might have reached an agreement. ION was removed from Lockbit’s extortion website, where victim companies are named and shamed in an attempt to force a payment. Experts say it’s often a sign that a ransom has been delivered.
“When a victim is removed from the list, most commonly the victim has agreed to enter into negotiations or has paid,” said ransomware expert Brett Callow of New Zealand-based cybersecurity firm Emsisoft.
Callow said there was an outside possibility that there was some other explanation for Lockbit publicly backing down.
“It may mean that the ransomware gang has chickened out or decided not to continue with the extortion for other reasons,” he said.
Ransomware has become one of the most costly and damaging scourges on the Internet. As of Friday night, Lockbit’s extortion website alone had 54 victims being extorted, including a television station in California, a school in Brooklyn and a city in Michigan.