A New Ransomware Scam: Fraud by the Incident Responders
In February 2018, Oxford Biomedica, a large biological research company in Oxford, UK, was hit by a ransomware attack. The hackers were demanding more than £300,000 in ransom. Oxford invoked its incident response plan and called in its team. One member of Oxford’s internal incident response team, Ashley Liles, had a brilliant idea—he was going to help himself to the ransom payment.
Liles examined the attackers’ ransom demands and then modified them—creating new ransom demands that were almost identical to those of the attacker with one minor change: The bitcoin wallet into which the ransom was to be paid. Liles replaced the attackers’ bitcoin wallet address with his own. He forged emails that looked identical to those of the attackers, with an email address that also was nearly identical.
The now-28-year-old security analyst not only forged emails from the attackers but also accessed the email of a member of Oxford’s board of directors and changed the attacker’s email to his own (with his own payment instructions). Posing as the attacker, Liles also pressured that board member to pay the ransom.
Unfortunately for Liles, Oxford decided not to pay the ransom. In the 1983 movie “Body Heat,” Mickey Rourke said to William Hurt (his lawyer), “Any time you try a decent crime, you got fifty ways you’re gonna [screw] up. If you think of twenty-five of them, then you’re a genius. And you ain’t no genius.” Apparently, Liles did not do enough to cover his tracks; investigators were able to track the emails and ransom demands back to him and the emails back to an IP address at his house.
Liles initially insisted that he was innocent until he got to court. This week, he pled guilty to a variety of computer and extortion offenses, and a sentencing hearing is set for July 2023.
So, I guess the message is not to trust anyone. Or rely on the fact that, any time someone tries a decent crime, they’ve got fifty ways they’re gonna [screw] up. Let’s hope they don’t think of even 25.
