Hackers claiming responsibility for the destructive breach at financial data company ION say the ransom has been paid, but they refuse to disclose the exact amount or provide any evidence that the money was handed over.
ION Group declined to comment on the statement. Lockbit conveyed the claim to Reuters via its online chat account on Friday, but declined to clarify who paid the money – saying it came from a “very wealthy unknown philanthropist”.
A Lockbit representative said it was “impossible” to provide more details.
The FBI did not immediately respond to a request for comment. Britain’s National Cyber Security Agency, part of Britain’s GCHQ wiretapping intelligence agency, declined to comment to Reuters.
A ransomware outbreak at ION on Tuesday disrupted trading and clearing of exchange-traded financial derivatives, causing problems for many brokers, people familiar with the matter told Reuters this week.
Among ION’s clients, ABN Amro Settlement Bank and Italy’s largest lender Intesa Sanpaolo, whose business could be affected, are among the banks’ clients, according to messages sent to clients by the two banks and seen by Reuters.
ABN told customers on Wednesday that some applications were unavailable due to a “technical outage” at ION, which was expected to last “for several days”.
It’s unclear whether paying the ransom will necessarily speed up the cleanup. Ransomware works by encrypting important corporate data and blackmailing victims in exchange for a decryption key. But even if hackers hand over the keys, it could take days, weeks or longer to undo the damage to a company’s digital infrastructure.
There are already signs that Lockbit has reached some sort of agreement over ION’s data. Earlier Friday, the company’s name was removed from Lockbit’s extortion site, where victim companies are named and shamed to force payments. Experts say this is usually a sign that the ransom has been delivered.
“When a victim is delisted, it usually means the victim has agreed to enter into a negotiation or has paid a fee,” said Brett Callow, a ransomware expert at New Zealand-based cybersecurity firm Emsisoft.
Callow said that there are other explanations for Lockbit’s public exit are highly unlikely.
“It could mean that the ransomware gang backed down, or decided not to proceed with the ransom for some other reason,” he said.
Ransomware has become one of the most expensive and destructive scourges on the internet. As of late Friday, Lockbit’s extortion site alone counted 54 victims of extortion, including a television station in California, a school in Brooklyn and a city in Michigan.
© Thomson Reuters 2023