Global securities finance tech company EquiLend's systems are now back online after announcing a disruptive ransomware attack nearly two weeks ago.

EquiLend was founded in 2001 by some of Wall Street's biggest players - its board of directors includes BlackRock, Goldman Sachs, JP Morgan, Morgan Stanley and more - and is primarily known for its Next Generation Trading (NGT) platform, which underpins a large chunk of the sector's securities lending.

The platform transacts $113.5 billion every day between more than 120 companies across more than 40 markets. The company also has regulatory tech, data analytics, and securities finance arms.

Providing regular updates via a dedicated web page, EquiLend almost completed its full restoration last week, waiting only for its data and analytics solutions to get back up and running.

"As our internal team and third-party experts have continued working diligently on recovery, we have reached a much-anticipated milestone: All EquiLend client-facing services are now available," said the Wall Street staple.

"We look forward to providing the high-quality service and user experience our clients have come to expect from us across all our services, and we remain incredibly grateful for your patience and support as we worked up to this point.

"We have and will continue to keep our clients informed with relevant updates. Clients whose questions are not answered by the frequently asked questions linked on this page may contact their client relationship manager."

EquiLend began the full restoration after it pulled systems offline following the discovery of the malicious behavior. According to cybersecurity expert Kevin Beaumont, LockBit claimed responsibility for the attack but never posted EquiLend to its leak blog, an observation he claims suggests the company negotiated a ransom payment.

For clarity, it must be said that EquiLend has not commented on whether a ransom was paid or not. We contacted the business for a comment but it didn't immediately respond.

A ransomware group's leak site serves as one of the key tools available to cyber extortionists. The idea is that if a ransom agreement can't be met swiftly, the victim's details are posted online so everyone knows the organization is suffering a ransomware incident.

The hope, then, is that the negotiations will be hurried along before the victim's data is posted online - the next move for cybercriminals looking to apply pressure to victims - which can include sensitive identity documents such as passport scans of staff, for example.

At the time of the incident's announcement, EquiLend was vocal about how proud it is of its "rigorous backups," hinting that it may snub LockBit's demands and restore itself from those backups instead.

As a company whose services are so critical to the smooth running of such a lucrative industry, EquiLend's incentive to pay would have been significant, despite the practice being strictly discouraged by the US and many other nations.

The company updated its FAQ page this week to reflect the system restoration but didn't update other sections regarding questions around how the attackers broke in.

Nor has EquiLend updated its communication regarding whether any data had been lifted from its systems. However, the official line appears to be carefully worded to confirm client transaction data is safe.

"While we are continuing to investigate, based on the review to date, we have not identified evidence that client transaction data was accessed or exfiltrated in the cybersecurity incident," it said. "We will continue to share pertinent updates as they become available."

If LockBit was indeed at fault for this, its double extortion MO likely saw one of its affiliates steal a hefty chunk of data to use as leverage for ransom negotiations down the line, if it came to it.

Paying a ransom never guarantees the return or destruction of data on the cybercriminals' part, nor does it guarantee the victim will be supplied with a decryptor. That said, the ransomware business model would suffer substantially if decryptors weren't given in exchange for payment.

At the time of the attack, there were questions about how disruptive the attack would be, with early signs pointing to possible issues around service quality due to staff resorting to manual operations.

However, experts speaking to us at the time expected minimal disruption to EquiLend's business as the effects of disrupted operations, such as revenue losses, would most likely be contained for the most part.

The attack came at a difficult time for the company, a week after it announced the sale of a majority stake of its business to private equity firm Welsh, Carson, Anderson & Stowe - a deal expected to close before the end of the year. ®

https://www.theregister.com//2024/02/06/equilend_back_in_action_as/