Facing Cyber Extortion? Step 1: Don't PanicToo Many Organizations Erase Forensic Evidence, Investigator Ondrej Krehel Warns
Has your organization suffered a ransomware outbreak? Are cyber extortionists threatening to unleash a logic bomb in your enterprise network unless you send bitcoins? Are you being blackmailed by a cybercrime gang claiming they'll release your stolen documents unless you pay them to behave?
Too often when organizations get shaken down by online criminals, they panic, and in the process make the predicament they're facing even worse, warns Ondrej Krehel, digital forensics lead and CEO of New York-based LIFARS, a digital forensics and cybersecurity intelligence firm.
In particular, Krehel says, many IT departments respond to signs of ransomware outbreaks or other types of cyber extortion by wiping infected systems or reinstalling operating systems. By doing so, however, they could be erasing crucial forensic evidence that might help validate whether attackers are telling the truth about having stolen data or to ascertain how bad the breach actually was.
Instead, Krehel says organizations need to take a big step back, think carefully about how to proceed, avoid destroying any evidence, and preferably call an expert. "For us, every piece of electronic information is actually evidence," he says, because it can help digital forensic investigators "find out what happened, how it happened, what data had been exfiltrated, and what the intentions of the attackers really were."
In this video interview at Information Security Media Group's recent New York Fraud and Breach Prevention Summit, Krehel discusses:
- Digital evidence-gathering essentials;
- How ransomware gangs procure their toolkits;
- The rise in attacks that encrypt interfaces to backups.
Before founding LIFARS, Krehel was information security officer of Identity Theft 911 and digital forensic examiner for Stroz Friedberg. He teaches cybersecurity and digital forensics at St. John's University and is on the advisory board of the Prague-based, cybersecurity-focused QuBit Conference.