Ion: after the hack, the clean-up

Ion Group is allowing some customers to access its systems again after a cyber attack took them offline last week, though it could still be days before the affected services are fully functional.

Clients were informed on February 5 that restoration of the servers and data for futures trading service XTP was around 80–90% complete.

“They have already brought two players back online, and they’re replaying prior trade day activity to bring them current,” says a source who has been working with affected customers.

Users who regain access to XTP must still back-fill the data—loading in trades that were entered manually while the software was offline—and also synchronize their records with futures clearinghouses. That could take days, or longer.

“It looks like we’re within a couple of days of people getting their Ion systems delivered back to them,” says the source. “It could be days or weeks to get caught up and resynchronize with all the clearinghouses.”

The amount of backfilling work has been shifting. A source at one European bank says Ion initially planned to restore user data up to to January 27—the Friday before the hack was discovered—but that has since been pushed back to January 24. Customers will therefore have to backfill around two weeks of trade data when they regain access to XTP.

“Their initial feedback was to restore to the 27th because they thought they were clean, but over the weekend the CrowdStrike people said they were not certain the backup would be clean,” the European bank source says. “So, they pushed it back to the 24th.”

CrowdStrike, a cyber security firm, is helping Ion analyze and test the restored systems.

Banks may also need a green light from their in-house cyber security teams before reconnecting to Ion’s systems, which could further delay a return to business-as-usual.

“Step one will be Ion handing over to the bank; step two will be each bank doing its own due diligence to determine whether they want to turn the pipes back on,” says the source working with affected customers. “Ion is leaning on CrowdStrike to clean any environments that are being restored to provide some assurance of safety with regard to reconnecting services.”

Some client sources affected by the outage say Ion has been inconsistent in communicating the status of the recovery efforts. “We do get the feeling they are still in quite the disarray at Ion. We get a lot of non-coherent and conflicting information back on our questions from them. We certainly will not open any firewalls soon toward them,” the European bank source says.

We’ve got some people working through the night, logging into exchange websites to manually clear the trades

Source at a bank that uses the service

Ion’s recovery efforts to date appear to be focused primarily on XTP, which covers everything from trade execution to clearing workflows and risk analytics. The service was rebranded and relaunched last November, after a suite of existing products had been stitched together to provide “end-to-end” functionality.

The cyber attack also took out other Ion services, including a trade matching system called Seals, a margin calculation engine, and some lesser-used products. Of the 42 impacted clients, 11 are said to be XTP users.

Yesterday, Seals was still offline, with customers awaiting updates on when it would be restored.

“They said the ETA was three days, but that hasn’t happened,” says a source at a client that uses the service, speaking on February 6. “As of this morning, it is still not back up and running. As of right now, I don’t know where we are at.”

The outage has caused significant disruption to the bank’s futures business, this person says. “We’ve got a bunch of exchanges that clear through Seals, which is the product that was affected, and we are having to manually clear our trades. We’ve got some people working through the night, logging into exchange websites to manually clear the trades,” they say.

A second source who uses Seals says the service was down yesterday and is still down today.

Demands met?

It remains unclear how the cyberattack was resolved. Once they have successfully infiltrated a target’s systems, ransomware criminals may try to steal confidential data—demanding a ransom not to publish it—and may also charge the target for a decryption key that will allow them to access their servers again.

The hacking group LockBit, which carried out the attack, told Reuters on Friday that its demands had been met, without specifying who had made the payment.

Sources give mixed reports on what users have been told by Ion. The European bank source says representatives of Ion denied they had paid during a call with clients on February 5. The source working with affected customers says Ion did not respond directly when asked about the ransom.

According to sources, Ion decided last week to rebuild its servers and restore data from backups rather than pay for a decryption key from the hackers.

A chief compliance officer at a US broker-dealer says rebuilding systems is best practice, regardless of whether a ransom was paid to protect confidential data. “Even with the encryption key in hand, restoring files would be time-consuming, and if they planted a backdoor they could always ransom the firm again, so many people advise to rebuild if you can.”

An Ion spokesperson declined to comment on whether the ransom had been paid.

With additional reporting by Anthony Malakian