The Rise of Ransomware and Legal Countermeasures

Ransomware attacks, vicious malware that locks users out of their devices or blocks access to files until a sum or money is paid, are becoming increasingly prevalent across the globe.

The Rise of Ransomware

Only this week, smartwatch company Garmin was forced to shut down its call centres, website and other online services after a ransomware attack encrypted its internal network and production systems.

This form of cyberattack is a very effective money-maker for criminals, as the encryption used is practically impossible to break. If a company falls victim to such an attack, the only way to get encrypted files back is to restore a recent backup or pay the ransom. The problem is that backups often fail. Increasingly, companies are paying ransoms in order to get their systems back online, as the cost of their business being completely frozen and unable to function is greater than the ransom sum. In 2017, South Korean web provider Nayana paid a $1 million ransom after its 3,400 websites were shut down by malware.

Research published this year by CyberEdge shows that both the number of ransomware attacks and the percentage of attacks that result in payment have increased every year since 2017. 62% of organizations were victimized by ransomware in 2019, up from 56% in 2018 and 55% in 2017. In 2017, only 39% of organizations hit by ransomware paid to retrieve their encrypted data. That figure increased to 45% in 2018, then again to 58% in 2019.

Legal countermeasures

When a company has no choice but to pay a ransom to get their business back online, does it have any means of subsequently recovering that money and tracing the perpetrators? The English Court is well-equipped to assist in these situations.

The first step is to freeze the monies where they were paid. The English Court is one of only two jurisdictions in the world which can grant a civil worldwide freezing order. Recently, the Court has been able to go further by making worldwide freezing orders (and proprietary injunctions, if a proprietary claim is available) against 'persons unknown' where the defendants' identities are unknown to the victim. This means that the claimant does not need a named defendant, only a 'class' of defendants, enabling it to launch an application for a freezing order quickly. The description given for the persons unknown must be sufficiently certain to be able to determine who falls inside this class and who falls outside of it. That description is usually derived from the receiving bank accounts to which the monies were paid , e.g. persons unknown (being the holder(s) and authorised signatory(ies) to the account held at X Bank with account number XXX).

The 'persons unknown' jurisdiction can be highly effective in freezing monies extorted by ransom. Once a freezing order is obtained, it can be served on banks who will freeze the relevant account (if the relevant bank is overseas, the freezing order will typically need to be domesticated in the local jurisdiction). Not only can this approach halt the onward flow of the monies, the claimant can concurrently apply for disclosure orders against the banks to obtain the KYC information related to the relevant accounts in order to trace the identities of the perpetrators of the ransom, which can include addresses, email address and telephone numbers.

However, cyber criminals are increasingly demanding that payment of ransoms is made in cryptocurrency, where identities are easier to hide than with traditional banking arrangements. The English Court has already addressed this scenario, in the case of AA v Persons Unknown & Bitfinex [2019] EWHC 3556. The Claimant was the insurer of a Canadian company whose systems had been frozen by malware. The perpetrators demanded a $950,000 ransom which was paid in order to acquire the decryption tool. A blockchain analysis firm working for the insurer was able to trace the transfer of the Bitcoins to a specific address, an exchange called Bitfinex. The claimant then applied for a persons unknown proprietary freezing injunction against those persons which demanded the Bitcoin and those persons who now held the Bitcoin. It also sought a proprietary freezing injunction and disclosure against Bitfinex, which was incorporated in the British Virgin Islands. The injunctions were granted by the Court and Bitfinex was required to disclose the identities of those holding the Bitcoin on the blockchain, which would enable the claimant to trace the perpetrators.
 
If a company falls victim to a ransomware attack and has no choice but to pay that ransom, it could nevertheless (and provided there is a connection with the UK jurisdiction) line up an application for a persons unknown freezing injunction to be launched after the monies are paid in order to trace those monies, freeze them, and acquire information to identify the perpetrators. Fieldfisher has significant experience in this area and has successfully recovered monies for clients using the persons unknown jurisdiction.