Cybercrime , Fraud Management & Cybercrime , Ransomware

Report: UK's Largest Forensics Firm Pays Ransom to Attacker

As More Victims Pay, Experts Warn of Criminals Becoming Further Emboldened
Report: UK's Largest Forensics Firm Pays Ransom to Attacker
Photo: WorldSkills UK via Flickr/CC

Britain's biggest provider of forensic services has paid a ransom to attackers who crypto-locked its systems with ransomware, the BBC reports.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

Eurofins did not immediately respond to a request for comment. The private testing firm provides DNA testing, toxicology analysis, testing of firearms as well as digital computer forensics for many British police forces.

Officials warn that the ransomware outbreak has led to delays in police investigations and court cases and that the full effect remains unknown. In the wake of the outbreak, British police forces suspended or dramatically curtailed their use of Eurofins and begun routing high-priority DNA and blood sample testing to other private forensic service providers. The incident follows the U.K. government in 2012, in a widely criticized move, closing its own Forensic Science Service, which supported England and Wales, and opting instead to rely exclusively on private firms.

Security experts say the ransom payment by Eurofins appears to be part of an alarming trend involving ill-prepared organizations failing to invest in proper defenses and then paying attackers for the promise of a decryption key (see Second Florida City Pays Up Following Ransomware Attack).

Legally speaking, both Britain's National Crime Agency as well as the FBI have said that it's up to organizations and individuals in the U.K. and U.S. to decide whether to pay. But both have urged potential ransomware victims to better prepare rather than to ever have to consider paying.

"I'm amazed Eurofin have paid up," Alan Woodward, a professor of computer science at the University of Surrey, tells Information Security Media Group. "Compare and contrast with St. John Ambulance. With the payments being made in the U.S., I worry they are emboldening the criminals, it's no wonder this is still the biggest form of cybercrime."

In contrast to Eurofins, St. John Ambulance, a charity organization that teaches and provides first aid and emergency medical services, this week issued a statement saying it had been hit by ransomware. The organization did not pay a ransom.

"At 9.00 a.m. on Tuesday, July 2, St John Ambulance was subjected to a ransomware attack. This has not affected our operational systems and we resolved the issue within half an hour," the organization says in a statement.

"This means that we were temporarily blocked from accessing the system affected and the data customers gave us when booking a training course was locked," it adds. "We are confident that data has not been shared outside St John Ambulance."

St John Ambulance says it's informed police about the attack, as well as Britain's privacy watchdog, the Information Commissioner's Office - Britain's privacy regulator - as well as the Charity Commission.

Police Recommend: Prepare, Don't Pay

Warnings against paying attackers are longstanding. As Christopher Stangl, then section chief of the FBI's Cyber Division, told ISMG in 2016: "Payment of extortion monies may encourage continued criminal activity."

It's unclear when Eurofins may have paid the ransom. On Monday, June 3, it announced that the prior weekend, its systems had been hit by ransomware.

On June 24, Eurofins reported that by June 4, "we were able to resume full or partial operations for a number of impacted companies and have continued to do so every day since then." By June 17, it says, "the vast majority of affected laboratories' operations had been restored," and by last week, "the production and reporting IT systems of essentially all those that remained became operational again."

The organization says it expects to complete full systems restoration by the end of next week.

Essential Ransomware Defenses

Woodward says organizations need to be better prepared to block and respond to ransomware attacks.

"There's so much good advice out there on how to mitigate and respond to these incidents, why are so many still ill prepared? And why are the insurers still paying up? There must be a point very soon where the insurers will say: 'No more.'"

For guidance, Woodward says all organizations should implement best practices for protecting organizations against ransomware, as well as for protecting systems against malicious Microsoft Office macros, issued by Britain's National Cyber Security Center. The NCSC is the public-facing arm of intelligence agency GCHQ, and is the lead government agency for incident response (see Police and NCSC to Breach Victims: We Won't Tell Regulators).

Examples of good security practice that the NCSC recommends to defend against ransomware include:

  • Defending against phishing attacks
  • Vulnerability management and patching
  • Controlling code execution
  • Filtering web browsing traffic
  • Controlling removable media access

"It's all about mitigation as a first line and then having an incident response plan and capability," Woodward says (see Wipe Away the Threat of Wiper Attacks).

Many organizations already have easy access to these types of capabilities, if they would only configure their systems correctly, including when it comes to managing Microsoft Office macros, Woodward says.

"The sad thing is that there are solutions already in place they just need to be configured. Things like preventing lateral movement with networks, preventing macros in emails," he says. "Imagine you're running a Microsoft Active Directory-based IT estate. It has what you need, you just have to put the correct policies in place, and segment your network appropriately."

Similarly, he says locking down organizations against macros is a simple process.

"There is a lot of misunderstanding about policies and macros," he says. "Some believe it will affect all those using macros - such as the finance department. Some think it will take a long time to configure. But that is not so."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.