A New Ransomware Scam: Fraud by the Incident Responders

In February 2018, Oxford Biomedica, a large biological research company in Oxford, UK, was hit by a ransomware attack. The hackers were demanding more than £300,000 in ransom. Oxford invoked its incident response plan and called in its team. One member of Oxford’s internal incident response team, Ashley Liles, had a brilliant idea—he was going to help himself to the ransom payment.

Liles examined the attackers’ ransom demands and then modified them—creating new ransom demands that were almost identical to those of the attacker with one minor change: The bitcoin wallet into which the ransom was to be paid. Liles replaced the attackers’ bitcoin wallet address with his own. He forged emails that looked identical to those of the attackers, with an email address that also was nearly identical.

AWS Builder Community Hub

The now-28-year-old security analyst not only forged emails from the attackers but also accessed the email of a member of Oxford’s board of directors and changed the attacker’s email to his own (with his own payment instructions). Posing as the attacker, Liles also pressured that board member to pay the ransom.

Unfortunately for Liles, Oxford decided not to pay the ransom. In the 1983 movie “Body Heat,” Mickey Rourke said to William Hurt (his lawyer), “Any time you try a decent crime, you got fifty ways you’re gonna [screw] up. If you think of twenty-five of them, then you’re a genius. And you ain’t no genius.” Apparently, Liles did not do enough to cover his tracks; investigators were able to track the emails and ransom demands back to him and the emails back to an IP address at his house.

Liles initially insisted that he was innocent until he got to court. This week, he pled guilty to a variety of computer and extortion offenses, and a sentencing hearing is set for July 2023.

So, I guess the message is not to trust anyone. Or rely on the fact that, any time someone tries a decent crime, they’ve got fifty ways they’re gonna [screw] up. Let’s hope they don’t think of even 25.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 191 posts and counting.See all posts by mark