Transatlantic Cyber Investigation Unmasks Insider Threat, Preempts Ransom Attempt

A global software company based in Europe received an email from an anonymous source stating the sender had access to highly-sensitive data belonging to one of its European subsidiaries. The data included, but was not limited to, personally identifying information (PII) of staff and executives, confidential sales and purchase agreement (SPA) terms, banking information and source code for some of the firm’s intellectual property. The sender gave Kroll’s client two weeks to pay a ransom of one million euros in bitcoin to a number of cryptocurrency accounts; he threatened to start “spamming everyone” with the client’s data if his demand wasn’t met. 

Watch Managing Director Michael Quinn recount this case study:

Case Study – Transatlantic Cyber Investigation Unmasks Insider Threat, Preempts Ransom Attempt
How Kroll Helped
  • Because the client’s information security team was located in the U.S., they initially reached out to the New York office of Kroll where our Cyber Risk team began the investigation. One of Kroll’s senior forensic examiners in the New York office analyzed the ransom email message and found several leads that resulted in the identification of a suspect Gmail address.
  • Additionally, through the deployment of the Kroll Responder tool and other sophisticated forensic methods, our forensic investigators were able to detect early on that an external cybercriminal infiltration was the source of the threat. That finding, coupled with the type of data displayed in the ransom note, pointed to an insider threat. Interviews with the client’s staff led us to focus on a former employee who had been asked to leave the company a few years ago. 
  • As it happened, the client still had that former employee’s company-provided computer at its European location. Sensitive to EU General Data Protection Regulation (GDPR) mandates, one of Kroll’s senior forensic examiners based in London was enlisted to analyze the computer. His review uncovered that an old smartphone profile once connected to that machine had clear connections to the Gmail address used for the ransom note.
  • In addition to isolating information that identified the likely culprit, our Cyber Risk team deployed Kroll’s CyberDetectER DarkWeb to determine if any of the sensitive data had already been posted to dark web, including closed source forums. Our findings of no evident leaks provided a measure of peace of mind to the client.

Key Deliverables
  • Kroll provided our findings to the client’s attorneys, who initiated a criminal complaint with the local jurisdiction police. Our sensitivity to GDPR-related concerns eliminated a potential weakness in the body of evidence. The police noted that Kroll’s well-documented and conclusive file of evidence enabled them to move quickly to apprehend the suspected former employee.
  • The evidence was so overwhelming that when the police presented it to the former employee, he immediately admitted his guilt as well as his continued unauthorized access to the client’s network.
  • The police seized several computers at the former employee’s home, on which they found significant amounts of the client’s data, including the passwords to bank accounts identified in the ransom message. Although the former employee claimed he held these passwords lawfully, the client was made aware so as to ensure the passwords were changed.
  • More troublesome still was the discovery of massive amounts of data (including emails) dating from after the former employee’s departure from the company. He acquired this data through various means, including his access to enterprise applications, such as Salesforce, which had not been terminated at the end of his employment.
  • As a result of Kroll’s work, the client joined the public action as a civil party in order to seek indemnification of the damages it sustained.
  • The client has also used Kroll’s findings to inform a review of its data security policies and procedures, particularly those that relate to fully terminating all network access privileges of employees or third parties at the end of their relationship with the company. 


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Cyber Vulnerability Assessment

Proactively identify vulnerable systems and devices that may be exploited by an attacker or malicious software, often resulting in data loss or breach.


Cyber Policy Review and Design

Ensure that your cyber security policy has the appropriate controls needed to keep your organization's information secure with a remediation plan in place in the event of an incident.