Ransomware hits major London stock market software supplier

Up to 40 clients suffer in the wake of an attack on one software supplier.
2 February 2023

One hit cripples up to 40 firms in a day – the power of supply chain attacks.

The UK is not having a good 2023 when it comes to ransomware attacks.

One of the country’s leading newspapers, The Guardian, was attacked by ransomware late in December, 2022, and the paper’s owners finally admitted to staff that their data had been compromised three weeks later, to start the year.

Before any dust had settled on that affair, the UK’s main mail carrier, the Royal Mail, was hit by a crippling ransomware attack using LockBit 3.0 – a favorite ransomware attack method of Russian cybercriminal organizations, which had its key components leaked on the dark web late in 2022. The attack’s ramifications lasted for weeks and stopped outgoing mail leaving the island.

Then this happened…

The Royal Mail is just about getting over the enormous backlog caused by the ransomware attack as we go into February.

Today, a ransomware attack – again, rumored to have used the LockBit methodology, and potentially by the LockBit group itself – hit software supplier Ion, and has thrown the UK stock market into more turbulent chaos than it’s seen since September 23rd, 2022, when Prime Minister Liz Truss unleashed a cataclysmic budget that wiped £30bn off the value of the British economy in the space of one day.

Why is the Ion attack so catastrophic?

Because the software that Ion supplies is financial trading software, used by many of the City of London’s most prestigious trading houses. By sending ransomware to Ion, the attackers compromised the activities of up to 40 leading city clients, meaning they could no longer use their computer systems to trade debt and derivatives around the world.

Nuclear ransomware.

These are systems that frequently depend on crucial to-the-second timing, trading internationally to get the best results. Today, the Ion ransomware attack left traders recording their trades on pen and paper, taking the process back around 50 years in a handful of heartbeats.

Ion released a brief and fairly terse statement about the attack, and did not confirm that it was the work of the LockBit group. “The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing. Further updates will be posted when available,” it said.

It also didn’t confirm – or deny – the gossip that claims the attack was made possible by the exploitation of vulnerabilities in some VMWare servers.

While it would be both facile and crass to adopt a “Told you so” approach to such attacks, it is true that significant numbers of cybersecurity experts have been trying to warn the business community for months that a) ransomware attacks would rise and rise in their proliferation across 2023, and b) that they would also grow in their potential significance and mayhem.

Protect your supply chain.

In particular, the Ion attack distinguishes itself as the first major “supply chain” ransomware attack of 2023. If the Guardian attack proved that news organizations were in no sense exempt from ransomware, and the Royal Mail attack showed that it was possible to cripple a major part of the UK’s critical infrastructure, the Ion attack has shown the nuclear capabilities of ransomware.

Whoever is ultimately responsible for the Ion attack, they hit one link in the City of London’s trading chain. Anything up to 40 clients of the company were affected by the fallout of that one incident. That’s why cybersecurity experts have been saying for months that ransomware can not only potentially kill your business in an afternoon, it can also potentially take a lot of your supply chain with it.

That means companies have a responsibility not only to their shareholders to make sure they’re doing everything possible to secure themselves from ransomware, they have a duty to their supply chain, too – to anyone they entice to do business with them – to make sure they’re not introducing potential catastrophe to those other companies by cybersecurity negligence.

There’s far too little information available on the attack as yet to even speculate whether there was any such negligence in the Ion case, and it would be entirely remiss to suggest there was. But the ratio of one hit to 40 subsidiary victims is a real-world example of what experts have been begging the C-Suite of companies around the world to take seriously for months.

A warning to all sizes of business.

In the wake of the Ion attack, Jamie Akhtar, CEO and co-founder of CyberSmart (a company that deals in security for SMBs) said “We aren’t dealing with run-of-mill cybercriminals or threats. Instead, this looks like a calculated attack on the very infrastructure that supports the UK’s financial system. What’s more, if the attribution rumor is true and the LockBit group is behind the attack, it’s a signal that the ‘cyber cold war’ being conducted as part of the conflict in Ukraine has begun to heat up.
We’ve been seeing a pattern of escalation in these attacks over the past few months, so we urge all businesses, even SMBs, to be as vigilant as possible in updating and patching software, employing good cyber hygiene, and treating anything unusual with suspicion.”

While there may seem like there’s no connection between Ion, a major supplier to lots of top-flight financial companies in the City of London, and an average SMB, it’s important to understand how the world of cybercriminals works. The big attacks, like the Royal Mail takedown and potentially the Ion atom bomb, are both extremely effective in and of themselves, but they also act as calling cards.

While there has been a significant, practically capitalistic, rash of amalgamations and mergers in the cybercriminal world recently (particularly in the Russian sphere, where bigger organizations have swallowed up many of the smaller players), the smaller operators still have to wet their beaks.

A bad year for SMBs?

In early December, 2022, Tech HQ sat down with Mike McLellan, Director of Intelligence at the SecureWorks Counter Threat Unit, who explained that there would be a greater danger in 2023 to SMBs from ransomware, because the nature of the threat was likely to evolve to include more attacks with smaller paydays that perhaps would avoid getting major attention from law enforcement agencies.

That means that, as well as the important nuclear attacks like the Ion event that took the City of London back to the Seventies, SMBs are likely to have a rough year of it with ransomware too.

Like the traders who are out right now investing in pencil sharpeners and erasers to get their job done tomorrow, the tech world waits to see how the Ion attack eventually shakes out.