a man with a long Pinocchio nose talking on the phone

Employee guilty of joining ransomware attack on his own company

A 28-year old IT Security Analyst pleaded guilty and will consequently be convicted of blackmail and unauthorized access to a computer with intent to commit other offences.

It all started when the UK gene and cell therapy company Oxford BioMedica fell victim to a cybersecurity incident which involved unauthorized access to part of the company’s computer systems on 27 February, 2018. The intruder notified senior staff members at the company and demanded a ransom. As an IT Security Analyst at the company, Ashley Liles was tasked with investigating the incident.

He worked alongside colleagues and the police in an attempt to mitigate the incident. But at some point he must have decided to use the circumstances to enrich himself. According to the South East Regional Organised Crime Unit (SEROCU), Liles commenced a separate and secondary attack against the company.

As part of his plan he changed the Bitcoin payment address of the attacker to his own in emails to the board members. And he set up an email address very similar to that of the attacker. From that email address he began emailing his employer to pressurize the company to pay the ransom.

Unfortunately for Liles, a payment was never made and the unauthorized access to the private emails was noticed during the investigation. Due to some poor choices when it came to his own security, the police arrested Liles and searched his home.

The unauthorized access to the emails could be traced back to his home address, which gave the police sufficient grounds to seize a computer, laptop, phone, and a USB stick. Despite his attempts to wipe the data from his devices, the police was able to recover enough data to act as evidence to prove his crimes and establish his direct involvement.

Liles denied any involvement for five years. But on May 17, 2023 during a hearing at Reading Crown Court, he changed his plea to guilty. The case has now been adjourned for sentencing at the same court on July 11, 2023.

While this definitely qualifies as an insider threat, this one seems to have been opportunistic rather than premeditated. The term is often associated with disgruntled employees, but they can also be coerced, or jump on an opportunity that presents itself, as Liles did. The case emphasizes the need for effective access control policies, even when an emergency presents itself. You do not want to make the scope of the incident worse by giving up your access policies in light of an investigation.

Access to resources should always be limited to what is needed to get the job done. And incidental access should be revoked when the need is no longer there. We’re not saying that every employee should be treated as a suspect or potential insider threat. That will result in an unworkable situation. But you should have measures in place to limit the damage and find any culprit.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.