Transatlantic Cyber Investigation Unmasks Insider Threat, Preempts Ransom Attempt

How Kroll Helped

• Because the client’s information security team was located in the U.S., they initially reached out to the New York office of Kroll where our Cyber Risk team began the investigation. One of Kroll’s senior forensic examiners in the New York office analyzed the ransom email message and found several leads that resulted in the identification of a suspect Gmail address.
• Additionally, through the deployment of the Kroll Responder tool and other sophisticated forensic methods, our forensic investigators were able to detect early on that an external cybercriminal infiltration was the source of the threat. That finding, coupled with the type of data displayed in the ransom note, pointed to an insider threat. Interviews with the client’s staff led us to focus on a former employee who had been asked to leave the company a few years ago. 
• As it happened, the client still had that former employee’s company-provided computer at its European location. Sensitive to EU General Data Protection Regulation (GDPR) mandates, one of Kroll’s senior forensic examiners based in London was enlisted to analyze the computer. His review uncovered that an old smartphone profile once connected to that machine had clear connections to the Gmail address used for the ransom note.
• In addition to isolating information that identified the likely culprit, our Cyber Risk team deployed Kroll’s CyberDetectER DarkWeb to determine if any of the sensitive data had already been posted to dark web, including closed source forums. Our findings of no evident leaks provided a measure of peace of mind to the client.

Key Deliverables

• Kroll provided our findings to the client’s attorneys, who initiated a criminal complaint with the local jurisdiction police. Our sensitivity to GDPR-related concerns eliminated a potential weakness in the body of evidence. The police noted that Kroll’s well-documented and conclusive file of evidence enabled them to move quickly to apprehend the suspected former employee.
• The evidence was so overwhelming that when the police presented it to the former employee, he immediately admitted his guilt as well as his continued unauthorized access to the client’s network.
• The police seized several computers at the former employee’s home, on which they found significant amounts of the client’s data, including the passwords to bank accounts identified in the ransom message. Although the former employee claimed he held these passwords lawfully, the client was made aware so as to ensure the passwords were changed.
• More troublesome still was the discovery of massive amounts of data (including emails) dating from after the former employee’s departure from the company. He acquired this data through various means, including his access to enterprise applications, such as Salesforce, which had not been terminated at the end of his employment.
• As a result of Kroll’s work, the client joined the public action as a civil party in order to seek indemnification of the damages it sustained.
• The client has also used Kroll’s findings to inform a review of its data security policies and procedures, particularly those that relate to fully terminating all network access privileges of employees or third parties at the end of their relationship with the company.