Held to ransom by a cyberattack

Dominique Dolman and Lily Pidge from the Commercial Disputes Resolution Team consider the impact of a Cyberattack.

Introduction 

In the 1996 film, Ransom, Mel Gibson offers $2 million as a bounty for information leading to information surrounding his son’s kidnappers, promising to track down the criminals for as long as it takes until they are found.

A recent report published by the Information Commissioner’s Office (ICO) has identified that cybercrime incidents have increased by 36% compared to last year but the most alarming statistic reported by the ICO was that there had been a 289% increase in ransomware incidents. This is where computer systems are hacked and demobilised by Persons Unknown, until a ransom payment is made, usually in the form of cryptocurrency, in a further attempt to avoid detection by the authorities.

The International Crime Police Organisation, INTERPOL, also commissioned a similar report which concluded that cybercrime is increasing at an unprecedented rate, partly due to the Covid-19 pandemic. The assessment also identified a clear shift from targeting individuals and smaller businesses to global corporations and governments.

Corporates have had to adjust their IT systems at short notice to allow their employees to work from home. This has inevitably compromised security and privacy. It is much harder for corporates to train their employees regarding online safety and regulate employee behaviour. In addition, the increase of employees accessing the network has essentially opened multiple gateways and access points for criminal gangs to infiltrate the network and steal company passwords, confidential data and sometimes even money.

There can be no doubt that cybercrime is developing at an alarming rate in terms of both scale and sophistication. The technology and malware that criminal gangs deploy to facilitate criminal activity are always being improved which makes it harder for law enforcement authorities to stay ahead.

The most common cybercrimes often involve the use of hacking, phishing and malicious software such as ransomware. Such activities now often feature a covid element to them. For instance, INTERPOL have reported a significant increase in phishing emails alleging to contain key information about the pandemic. Equally, INTERPOL reported a 569% increase in malicious registrations of fraudulent websites in which the criminals have registered domain names containing keywords such as ‘covid’ and ‘coronavirus’.

Crypto-crime

Whether the crime is one of phishing or the deployment of malicious software, the end goal for the fraudsters involved will usually be to disable their victims’ computer systems and coerce them into making a substantial ransom payment. Through either business necessity, or sheer embarrassment of the failure of their internal IT security, the payment is often made quickly and the crime unreported, or at least, unsolved.

Cryptocurrency is becoming more popular than ever for such ransom payments with the fraudsters potentially located anywhere in the world and the payment being transferred through various crypto exchanges, by a quick click of a button.

However, whilst cryptocurrency payments are often difficult to trace as accounts are anonymous there is always a digital trail that can be followed and with the employment of crypto experts and specialist IT equipment, it is possible, in some cases (unlike cash payments) to trace the ransom payments though the blockchain footprint; identify the currency exchanges where the ransom payment has been transferred, and seek information from these exchanges to identify the key suspects.

Further, the English Courts are leading the way in providing remedies to assist in the recovery of cryptoassets, particularly when related to cyberattacks and other fraudulent activity. In particular, the English Judiciary has demonstrated a keen desire to utilise the existing tools that are currently available under the English legal system and adapt them to ensure there are legal remedies available to provide appropriate relief to those who seek the Court’s protection.

AA v Persons Unknown & Ors, re Bitcoin [2019]

The case of AA v Persons Unknown & Ors, re Bitcoin [2019] was the first of its kind to confirm that cryptoassets are ‘property’ and as such, the English Court determined that it had the ability to grant proprietary injunction relief and protective orders, on behalf of the applicant. 

Background

The case relates to the hacking of a Canadian insurance company (the “insurance company”) which had taken out insurance against cybercrime attacks, from an English insurance company, who wished to remain anonymous (“AA”). 

The English insurance company received a ransom note from the First Defendant (“Persons Unknown”) who demanded a ransom payment of over £1 million in Bitcoin in order to regain control over their IT systems. 

When making the ransom payment, AA employed the assistance of a specialist IT cryptocurrency fraud expert to track the payment. The expert was able to trace the payment of some of the Bitcoin which was held in the cryptocurrency exchange of Bitfinex, in the BVI. 

Once AA was able to trace and identify some of the Bitcoin ransom payment to Bitfinex, AA immediately made an ex parte (without notice) application to the English Court on an anonymised basis. The hearing was also conducted in private to avoid the risk of either a further retaliation cyberattack or dissipation of the Bitcoin ransom payment before enforcement steps had been undertaken.

Judgment

In a landmark decision, Mr Justice Bryan determined that cryptocurrency, such as Bitcoin, could be considered and treated as “property” on the basis that cryptocurrency could be definable, identifiable by third parties and had some degree of permanence. As such, cryptocurrency was therefore capable of being the subject of a proprietary order.

On the balance of convenience, Mr Justice Bryan granted the interim relief sought as damages were deemed to be an inadequate remedy given that Bitcoin could be dissipated quite easily.

Of further interest, Mr Justice Bryan also ordered Bitfinex, the currency exchange intermediary, to provide information on the identity and address of the Persons Unknown. Given that a key attraction to investing in cryptocurrency is the anonymity it affords the investor, it will be interesting to see if other currency exchanges will be as willing to co-operate in the future. 

The Persons Unknown were never identified and it remains unclear whether the balance of the ransom payment was ever recovered from them.

Remedies Available Under English Law

It is interesting to note that whilst fraudulent cybercrime activity is on the rise, investments in cryptocurrency continue to gain in popularity. Therefore it is even more pleasing to see the English Court showing its capability and willingness to provide the necessary protection to those that fall victim to such fraudulent activities.

Legal remedies that are available include seeking Worldwide Freezing Orders (even against persons unknown who may be located either inside or outside of the UK), which can immediately prevent the further transfer or dissipation of assets, wherever they may be located. Such applications are often supported by ancillary disclosure orders, ordering the recipient to disclose further information about the assets being held. As cryptoassets can be identified as property, it is also possible to seek a proprietary injunction, in circumstances where the applicant is able to demonstrate they are the rightful owners of such property. In addition, a Bankers Trust order can be obtained, which directs a third party (such as a Bank or a cryptocurrency exchange) to disclose information about the identity of property held which may (or has) become the subject of a Freezing Order.

These are powerful remedies that are at the Court’s disposal and unique to the English legal system. They can have far reaching consequences against individuals and property being held by them or by related third parties. Such applications can be made without notice with hearings held in private so the fraudsters are often unaware of the legal action that is being taken until the appropriate relief has been granted and enforcement steps are well underway.

It is not surprising that the English Courts are seeing an increase in cyber-related cases and this trend is almost certainly likely to continue. It will be interesting to see how the English Courts will continue to make use of all the legal weapons at their disposal to face battle with the fraudsters.

Please contact Dominique Dolmanif you require any assistance in this field.