A British IT worker who exploited a ransomware attack against the company he worked for, in an attempt to extort money from them for himself, has been sentenced to jail for three years and seven months.
As I previously described on the “Smashing Security” podcast, gene and cell therapy firm Oxford Biomedica suffered a ransomware attack in February 2018.
A hacker accessed Oxford Biomedica’s systems, stole information, and senior members of the company received a ransom demand from the hacker.
Nothing unusual about that.
Oxford Biomedica tasked its IT team to work alongside the police in investigating the attack, determine how it had occurred, and try to plug any remaining security holes to prevent future breaches.
Again, so far so normal.
But what was decidedly unusual was that one of its staff assigned to investigate the ransomware attack decided to actually exploit the situation, and trick his employer into giving him the ransom money instead of the genuine hackers.
Liles accessed the email account of an Oxford Biomedica board member, and changed the original ransom demand to direct that the money should be paid to a Bitcoin wallet under his own control, rather than that of the hackers.
This meant that if the company did ultimately decide to pay the ransom, it would end up with Liles rather than the (presumably less than happy) hackers who had initiated the attack.
Liles also created an almost identical email address to that used by the original hacker, and began emailing his employer to pressurise them to pay a ransom worth £300,000.
As part of their investigation, specialist officers from the UK’s SEROCU (the South East Regional Organised Crime Unit’s Cyber Crime Unit) identified that someone had been accessing the board member’s email, and then traced the access back to Liles’ home address.
Yup, it seems that this particular IT security analyst did not properly cover his tracks.
A subsequent search of Liles’s home uncovered computer equipment, a phone, and USB stick. Despite Liles’s attempts to wipe incriminating data from his devices, digital forensic analysts were able to recover enough evidence to prove his involvement in the extortion.
Ashley Liles of Fleetwood, Letchworth Garden City, Hertfordshire, was sentenced yesterday at Reading Crown Court for blackmail and unauthorised access to a computer with intent to commit other offences.
It’s a quite remarkable story. Liles wasn’t connected to the initial ransomware attack, it simply happened on his watch. And then – some would say showing competing amounts of initiative and recklessness – he attempted to hijack the ransomware attack against his own employer to his own benefit.
What a dumb thing to do.