A former IT security analyst who exploited an opportunistic ransomware attack to impersonate the attackers and conduct his own, secondary cyber attack on his employer has been convicted of blackmail and unauthorised access to a computer with intent to commit other offences, after completely failing to properly cover his tracks.
Ashley Liles, 28, of Letchworth Garden City in Hertfordshire, was employed with Oxfordshire-based Oxford Biomedica, a gene therapy specialist, when its systems were attacked and encrypted by an undisclosed ransomware operator on 27 February 2018.
In the wake of the cyber attack, Liles was tasked with incident response and worked closely alongside colleagues and law enforcement to try to mitigate the impact of the ransomware, but unbeknown to all of them, at the same time he began a separate, secondary attack against the company’s systems.
In the course of his own attack, Liles accessed a board member’s private emails on multiple occasions and altered the original ransom demand to change the payment address of the bitcoin wallet to which the ransomware gang was demanding payment.
In this way, he ensured that had Oxford Biomedica made a payment – which it did not – the money would thus have been diverted to Liles.
Liles also sent threatening emails to his employer to further pressurise them into paying up – a common tactic deployed by ‘genuine’ ransomware gangs during their attacks.
However, Liles did not appear to pay sufficient attention to his own operational security; his unauthorised access to the private email account was noticed and police were able to identify that the account was being accessed from his home address.
The South East Regional Organised Crime Unit’s (SEROCU’s) Cyber Crime Unit subsequently arrested Liles and searched his home, seizing multiple items including a computer, laptop, phone and USB stick.
Although Liles had wiped the devices to try to throw cops off the scent, his IT skills proved insufficiently adept in this area as well, and forensics experts were later able to successfully recover the data to be used as evidence at his trial.
Detective inspector Rob Bryant of SEROCU said: “I would like to thank the company and their employees for their support and cooperation during this investigation. I hope this sends a clear message to anyone considering committing this type of crime.
“We have a team of cyber experts who will always carry out a thorough investigation to catch those responsible and ensure they are brought to justice.”
Liles, who had initially tried to deny any involvement in the cyber attack, was convicted after changing his plea to guilty. He will be sentenced at Reading Crown Court in July 2023.