If you genuinely suspect a member of your own cyber security team is abusing company infrastructure to launch ransomware attacks against external victims, the situation must be handled extremely carefully. You are potentially dealing with:
- serious criminal activity
- evidence that may be required by law enforcement
- employee monitoring laws
- significant reputational risk for your company
The goal is not to “catch them out” informally. The goal is to secure evidence, protect the company, and follow a legally defensible investigation process.
Below is the approach typically recommended by security, HR, and legal experts in the UK.
Treat the situation as a potential insider threat investigation
Understand the risk profile
Insider threats are one of the hardest security risks to detect because the person involved often has:
- legitimate system access
- technical knowledge of monitoring tools
- familiarity with logging systems
- awareness of investigative techniques
Guidance from the National Cyber Security Centre highlights that insider threats must be investigated carefully using structured processes to avoid destroying evidence or breaching employment law.
Step 1: Escalate the concern confidentially
Do not investigate alone
Before starting any covert monitoring, escalate the concern to a very small trusted group inside the organisation.
This usually includes:
- the Chief Information Security Officer (CISO)
- HR leadership
- legal counsel
- potentially the risk or compliance department
This protects you and ensures the investigation is conducted lawfully.
Why this matters:
- employee monitoring must comply with UK GDPR and the Data Protection Act 2018
- disciplinary actions require documented procedures
- evidence must be collected properly if law enforcement becomes involved
Step 2: Preserve logs and evidence immediately
Protect historical activity
If ransomware activity has occurred using company infrastructure, existing logs may contain crucial evidence.
Immediately ensure that logs from the following systems are preserved:
- firewalls
- VPN gateways
- endpoint detection systems
- cloud platforms
- authentication services
- security monitoring platforms
Do not modify or purge logs.
Proper evidence preservation is essential if the case is referred to authorities such as the National Crime Agency.
Step 3: Perform discreet log analysis
Focus on anomalies rather than the individual initially
Instead of targeting the employee directly at first, analyse behaviour patterns across the environment.
Look for indicators such as:
- unusual outbound traffic patterns
- encrypted traffic to suspicious infrastructure
- connections to known ransomware command-and-control servers
- large file transfers to external destinations
- activity outside normal working hours
Security teams often use SIEM and threat-hunting tools to identify behavioural anomalies without singling out a suspect prematurely.
Step 4: Use behaviour analytics tools
Identify abnormal user behaviour
Modern security systems include User and Entity Behaviour Analytics (UEBA).
These tools detect patterns such as:
- unusually large data transfers
- unexpected system access
- use of privileged tools outside normal duties
- lateral movement across the network
UEBA allows you to identify suspicious activity without directly confronting the employee or alerting them.
Step 5: Review access privileges
Confirm whether the employee has excessive permissions
Insider attacks often rely on privileged access.
Review whether the employee has:
- administrator privileges
- direct access to infrastructure servers
- access to penetration testing tools
- ability to modify logging systems
If privileges exceed what is required for their role, they may need to be adjusted as part of routine security governance rather than as an obvious investigation step.
Step 6: Examine security tool usage
Check whether tools are being misused
A security staff member might attempt to disguise ransomware activity using legitimate tools.
Audit logs should reveal:
- penetration testing tools running outside authorised testing windows
- scripts or binaries deployed without change approval
- security tools used against external targets without authorisation
- attempts to disable monitoring or logging
Correlating tool usage with network activity is often revealing.
Step 7: Conduct endpoint investigation if evidence emerges
Carefully examine the suspect workstation
If strong indicators appear, forensic analysis of the employee’s workstation may be required.
This should only occur after consultation with:
- HR
- legal advisors
- senior security leadership
Forensic review may examine:
- installed software
- command history
- encrypted communication tools
- suspicious files
- external storage devices
Proper forensic procedures ensure evidence remains admissible.
Step 8: Consider notifying law enforcement
Criminal activity may require external reporting
If credible evidence suggests ransomware activity, the company should consider contacting authorities.
Possible reporting channels include:
- Action Fraud
- the National Crime Agency
Launching ransomware attacks could breach several laws including the Computer Misuse Act 1990.
Law enforcement may wish to take over the investigation.
Step 9: Avoid tipping off the suspect
Maintain normal operational behaviour
If the suspect realises they are being investigated, they may:
- delete evidence
- disable logs
- exfiltrate company data
- accelerate malicious activity
Therefore:
- maintain normal working relationships
- avoid unusual questioning
- conduct analysis quietly through monitoring tools
Any confrontation should occur only after evidence is secured.
Key legal considerations
Monitoring employees must be lawful
In the UK, workplace monitoring must follow guidance from the Information Commissioner’s Office.
Employers should ensure:
- monitoring is proportionate
- employees are aware monitoring may occur
- data protection laws are followed
Legal oversight is essential before conducting targeted monitoring.
Final perspective
An insider ransomware attack is one of the most serious threats an organisation can face.
The correct response is not a quiet personal investigation, but a structured insider-threat process involving security leadership, HR, legal advisers, and potentially law enforcement.
Handled correctly, the investigation will:
- protect the company
- preserve critical evidence
- comply with UK employment and data protection law
- prevent further misuse of corporate cyber infrastructure.
And if the suspicion proves correct, the company will have handled the situation in a way that is legally defensible and professionally responsible.
We have created Professional High Quality Downloadable PDF’s at great prices specifically for Small and Medium UK Businesses our main website. Which include various helpful Cyber related documents and real world scenarios your business might experience, showing what to do and how to protect your business. Find them here.
