© Reuters. FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017.REUTERS/Kacper Pempel/Illustration/File Photo
By Raphael Satter
WASHINGTON (Reuters) -The hackers who claimed responsibility for a disruptive breach at financial data firm ION say a ransom has been paid, although they declined to say how much it was or offer any evidence that the money had been handed over.
ION Group declined to comment on the statement. Lockbit communicated the claim to Reuters via its online chat account on Friday but declined to clarify who had paid the money – saying it had come from a “very rich unknown philanthropist.”
The Lockbit representative said there was “no way” it would offer further details.
The FBI did not immediately reply to a request for comment. Britain’s National Cyber Security Agency, part of Britain’s GCHQ eavesdropping intelligence agency, told Reuters it had no comment.
The ransomware outbreak that erupted at ION on Tuesday has disrupted trading and clearing of exchange-traded financial derivatives, causing problems for scores of brokers, sources familiar with the matter told Reuters this week.
Among the many ION clients whose operations were likely to have been affected were ABN Amro Clearing and Intesa Sanpaolo (OTC:), Italy’s biggest bank, according to messages to clients from both banks that were seen by Reuters.
ABN told clients on Wednesday that due to “technical disruption” from ION, some applications were unavailable and were expected to remain so for a “number of days.”
It was not clear whether paying the ransom would necessarily speed the clean-up effort. Ransomware works by encrypting vital company data and extorting the victims for payoffs in exchange for the decryption keys. But even if hackers hand over the keys, it can still take days, weeks or longer to undo the damage to a company’s digital infrastructure.
There were already signs that Lockbit had reached some kind of an agreement over ION’s data. The company’s name was removed earlier Friday from Lockbit’s extortion website, where victim companies are named and shamed in a bid to force a payout. Experts say that is often a sign that a ransom has been delivered.
“When a victim is delisted, it most commonly means either that the victim has agreed to enter negotiations or that it has paid,” said ransomware expert Brett Callow of New Zealand-based cybersecurity company Emsisoft.
Callow said there was an outside chance that there was some other explanation for Lockbit publicly backing off.
“It may mean that ransomware gang got cold feet or decided not to proceed with the extortion for other reasons,” he said.
Ransomware has emerged as one of the internet’s most expensive and disruptive scourges. As of late Friday, Lockbit’s extortion website alone counted 54 victims who were being shaken down, including a television station in California, a school in Brooklyn and a city in Michigan.