Forensics , Next-Generation Technologies & Secure Development , Security Operations

Facing Cyber Extortion? Step 1: Don't Panic

Too Many Organizations Erase Forensic Evidence, Investigator Ondrej Krehel Warns

Has your organization suffered a ransomware outbreak? Are cyber extortionists threatening to unleash a logic bomb in your enterprise network unless you send bitcoins? Are you being blackmailed by a cybercrime gang claiming they'll release your stolen documents unless you pay them to behave?

See Also: SOC Modernization: Set Plays for Success with Earvin “Magic” Johnson

Too often when organizations get shaken down by online criminals, they panic, and in the process make the predicament they're facing even worse, warns Ondrej Krehel, digital forensics lead and CEO of New York-based LIFARS, a digital forensics and cybersecurity intelligence firm.

In particular, Krehel says, many IT departments respond to signs of ransomware outbreaks or other types of cyber extortion by wiping infected systems or reinstalling operating systems. By doing so, however, they could be erasing crucial forensic evidence that might help validate whether attackers are telling the truth about having stolen data or to ascertain how bad the breach actually was.

Instead, Krehel says organizations need to take a big step back, think carefully about how to proceed, avoid destroying any evidence, and preferably call an expert. "For us, every piece of electronic information is actually evidence," he says, because it can help digital forensic investigators "find out what happened, how it happened, what data had been exfiltrated, and what the intentions of the attackers really were."

In this video interview at Information Security Media Group's recent New York Fraud and Breach Prevention Summit, Krehel discusses:

  • Digital evidence-gathering essentials;
  • How ransomware gangs procure their toolkits;
  • The rise in attacks that encrypt interfaces to backups.

Before founding LIFARS, Krehel was information security officer of Identity Theft 911 and digital forensic examiner for Stroz Friedberg. He teaches cybersecurity and digital forensics at St. John's University and is on the advisory board of the Prague-based, cybersecurity-focused QuBit Conference.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.