LockBit Hackers Behind ION Breach Also Hit Royal Mail, Hospital

The gang has conducted a spate of extortion events, demanding cryptocurrency to unlock files.

(Bloomberg) — The hacking group behind a cyberattack against the software firm ION Trading UK has recently conducted a series of breaches throughout the world, with its victims including the UK’s postal service and local government agencies in the US. 

The gang, known as LockBit, is a prolific ransomware operator, according to cybersecurity experts, specializing in using malicious software to encrypt files on a victims’ computer, then demanding payment to unlock the files. Earlier this week, it struck an ION system that paralyzed derivatives trading across markets for everything from commodities to bonds, forcing a number of European and US banks and brokers to process some trades manually.

The group on Thursday threatened to publish “all available data” that it claimed to have stolen from ION on their website on the dark web unless the derivatives trading platform paid an unspecified ransom by February 4.

UK regulators have started an investigation into the ION breach, which affected 42 of the company’s clients and forced a number of European and US banks and brokers to process some trades manually.  The FBI is also seeking information on the attack and has reached out to ION executives, according to people familiar with the matter.

LockBit’s malware was used in a ransomware attack against the UK’s Royal Mail in January, shuttering the service’s ability to send international letters and parcels and rendering some computers there inoperable. In December, an associate of the group hacked a Canadian children’s hospital, only for LockBit to apologize and send the victim a decryption key. 

The city of Mount Vernon, Ohio said its police department and other government agencies were affected by a LockBit ransomware attack. 

“There’s no doubt that we’re seeing an increase in activity and LockBit, which has claimed responsibility for the ION attack, is one of the most prolific threat actors,” said David Naylor, who heads the UK data privacy, cybersecurity and digital assets practice at law firm Squire Patton Boggs. 

He added, “Clearly, they tend to focus on organizations that they think are either vulnerable or operating high-value systems, where if they successfully attack them, there’s a meaningful prospect of securing a significant ransom – if the target is willing to pay.”

LockBit has been active since at least January 2020 and has hacked as many as 1,000 victims globally, extorting at least $100 million in ransom demands, according to the US Justice Department. Last year, a Canadian-Russian man was arrested in Ontario for allegedly participating in a LockBit ransomware campaign. The group’s members are also active on Russian-language cybercriminal forums, according to cybersecurity experts. 

Like other hacking crews, LockBit functions under the ransomware-as-a-service model, in which members lease access to the malware to “affiliates” in exchange for a cut of any ransom payment that comes as a result of the breach. 

“They run it like a business, and that’s the best way to explain it,” said Jon DiMaggio, chief security strategist at the cyber firm Analyst1. “The founder of LockBit runs it as if he were Steve Jobs, which is successful for them but very bad news for the rest of us.” 

Researchers have also studied LockBit’s hacking tools, determining that the group regularly updates its malicious software in order to avoid detection from cybersecurity products. One strain of malware, dubbed LockBit Black, shows that the gang has experimented with a kind of self-spreading malware that would make it easier for hackers to infiltrate victim organizations without the technical expertise typically required to do so, Sophos Group Ltd. researchers wrote in a blog post.  

On Monday, they released a new strain of ransomware based on code taken from another Russian-speaking gang, Conti, which collapsed amid internal infighting last year, DiMaggio said. 

A spokesperson for LockBit declined to comment when reached by Bloomberg News.  

–With assistance from Isis Almeida and Katherine Doherty.

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.