Update: Hacked Eurofins police forensic lab pays ransom

News by SC Staff

Police forensics provider Eurofins Scientific, victim of ransomware attack last month, is reported by the BBC to have paid a ransom to the attackers.

Eurofins Scientific, the forensic lab responsible for half the UK police’s outsourced forensic work has paid a ransom to criminals after its IT systems were disrupted in a cyber-attack, according to a BBC News report

No sources or payment amount are cited and there is no confirmation of ransom payment from the company or police but the BBC News report states that ‘it has learned’ that this is the case and suggests that the ransom is likely to have been paid between 10 June, when Eurofins reported the attack, and June 24 when it published what the BBC describes as ‘an optimistic update. That said it had "identified the variant of the malware used" in the attack and had strengthened its cyber-security.

UK Police and law enforcement agencies have continued their suspension of the use of Eurofins. The BBC reports the UK Crown Prosecution Service saying: "We are working to make sure all hearings remain fair and based on reliable evidence. While investigations are ongoing, prosecutors will assess the impact on a case by case basis. Cases where forensic evidence does not play a major role will continue as ‎usual if all parties agree. If ‎test results provided by Eurofins are central, we will seek to adjourn cases for the shortest possible period."

Under an emergency police response led by the National Police Chiefs' Council (NPCC), DNA and blood samples needing urgent testing were sent to other suppliers. Nonetheless some court hearings were postponed because Eurofins analysis results were  not accessible.

In an email to SC Media UK Jake Moore, cyber security specialist at ESET commented: "These attacks highlight the need for regular backups to be commonplace in all data-reliant businesses. In an ideal situation, Eurofins will have had a recent back-up to restore data which would have neutralised any negative effect on the company’s operations, beyond the inconvenience of having to restore their data from back-ups. With the recent news of ransomware attacks yielding over 1.1 million dollars in Florida, and headlines of companies paying attackers to retrieve their data increasing, these types of malware attacks are only likely to increase. With every headline of successful ransomware which yielded payment from a firm, criminals are encouraged to pursue this attack vector. Moreover, succumbing to the attackers and paying the ransom supports further crime operations."

The other issue is that,  as Dr. Guy Bunker, CTO at Clearswift,  points out, even when firms do pay the ransom, they may not actually get the data back – hackers are not to be trusted. And ‘successful’ cyber-attacks where ransoms are paid, can seriously jeopardise the reputation of a firm - particularly when its a police sub-contracting rewarding criminals.

In an email to SC Media UK Bunker commented: 

"Hackers should not be trusted to honour a ransom agreement – they are criminals after all. Somewhere around 70 percent of companies who pay do not get their data back. Even if you do get it back, the malware is still in the network and can easily re-emerge at a later date to do it all again. The general advice is not to negotiate. 

"However, we know some organisations do pay the ransom as they then find there is no way to recover their data. Organisations need to put an appropriate backup solution in place and regularly check that they can recover the data and that their entire estate of critical information is covered by the backup. There are insidious attacks which can over time end up corrupting backups, so there needs to be provision for this type of attack as well, verifying the data that is backed up is the same that is ‘live’, in order to watch for any insidious attacks.

"In the future, we hope to see fewer firms opting to simply pay the ransom as opposed to challenging it. Without appropriate process and precautions, firms risk 'successful' security attacks damaging the reputation of the organisation. However, the impact is really only felt if there is competition which existing customers can move to. Despite this, it is vital to have suitable security so as to now have the issue of reputational damage in the first place."

Original SC Media UK report below:

Despite police forensics company Eurofins Scientific reporting that all is back to normal after suffering a ransomware attack three weeks ago, the UK police announced that it has suspended its work with the company, its largest forensics services provider.

Eurofins, confirmed on 3 June that it was victim of a ransomware attack, putting global agencies including the National Cyber Security Centre (NCSC) on high alert, but has been reporting that all is now back to normal.

"The production and reporting IT systems of essentially all those that remained became operational again during the past week," the organisation announced on 24 June. "Restoration operations are continuing for some less important back office and software development systems as well as in a few companies (representing less than two percent of the group’s revenues) some specific procedures required before restart of certain activities that are anticipated to be completed by the end of next week."

"The pattern of this attack as well as information from law enforcement and independent cyber-security experts lead us to believe that this attack has been carried out by highly sophisticated well-resourced perpetrators," the Luxembourg-based company said on 10 June in an update on the attack. "The investigations conducted so far by our internal and external IT forensics experts have not found evidence of any unauthorised theft or transfer of confidential client data."

The repercussions of the breach were huge, including the UK police suspension of work. The company provides many scientific testing services -- including DNA analysis, ballistics and forensic works -- to governments and business organisations across the globe.

"The attack suffered by Eurofins Scientific has affected the IT systems its Forensics subsidiary, Eurofins Forensics Services, which is based in the UK and is one of the primary forensic services providers (FSPs) to UK policing," the announcement said. "As a result, the NPCC’s Forensic Gold Group took the decision to temporarily suspend all law enforcement submissions to Eurofins Forensics Services."

The Guardian estimated that the company covers 50 percent of the outsourced casework of the UK police force. James Vaughan, forensics lead at the National Police Chiefs’ Council told the newspaper that these services have been delegated to alternative suppliers.

"Since the huge WannaCry outbreak in 2017, there simply shouldn’t be an excuse for ransomware attacks to this level. If a company is struck by a fatal loss of data these days, they should be back up and running in no time," said Jake Moore, cyber security specialist at ESET, in an email to SC Media.

"Implementing protection from ransomware is so straightforward now and backups are simple to manage, so companies should be able to thwart the vast majority of these attacks. Furthermore, ransomware can highlight poor cyber- security within a network and therefore can even suggest another form of attack is imminent," he said.  

"Our priority is to limit harm to the UK and the public. We are supporting Eurofins Scientific and working closely with law enforcement colleagues to understand the full extent and impact of this incident," the NCSC announced on 21 June. "Experts are working closely with both Eurofins and the certified Cyber Incident Response (CIR) company employed by them, to support containment and remediation."

Dan Sloshberg, senior director at Mimecast, told SC Media that there could be more than mere ransom in this case. "Although most ransomware cases are financially motivated, in this case there’s a possibility that other factors are in play. There could be intent to wreak havoc by disrupting and tampering with evidence," he said.

The impact of this attack highlights the need of checking the security and resilience of an organisation’s supply chain. This breach has targeted a company that processes 50 percent of forensic testing, having far-reaching implications for the justice system, he noted.

Not all police forensics work is affected, and forces have been able to continue all fingerprint analysis and crime scene investigation as normal, according to the police statement. "It is too early to fully quantify the impact but we are working at pace with partners to understand and mitigate the risks," said NPCC’s Vaughan in the statement.

"Supply chain attacks are often coordinated, so relying on one company for a significant portion of your operations demands an effort to validate the defences they have in place before awarding a contract, and ideally on a regular ongoing basis," said Mimecast’s Sloshberg. "Otherwise, the knock-on effect of a successful attack can expose serious risks for your organisation."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop