Counter-attacking ransomware hackers
Insight
There is a developing line of cases in England & Wales where those who have been subject to a ransomware attack take action against the hackers through the civil courts. The question is why bother and what is the best way to go about this if that is what the victim decides to do.
The attack
The typical – and by now familiar – chain of events in a ransomware attack involves the following:
- The attackers gaining access to the company's systems.
- The installation of malicious encryption software on the systems, preventing access to data.
- The extraction of data with the threat to publish it.
- The attackers making contact via an anonymous webpage (or email address) and requiring a ransom payment (invariably in cryptocurrency) to restore access to encrypted data and to prevent the data being leaked.
In this situation, the affected organisation is faced with a myriad of considerations and challenges, ranging from the practical and technical, to the legal and reputational. Many of those considerations and the actions that flow from them might be regarded as defensive and acts of preservation. However, there is an increasing body of examples where companies affected are also taking swift and immediate action to obtain injunctions from the English courts to prohibit further misuse of stolen information by attackers and, on some occasions, to require the return of stolen data or its destruction.
Why bother?
The obvious and immediate question is: what is the practical purpose of obtaining an injunction against unknown attackers who are often sophisticated cyber criminals with little respect for law and authority? This is certainly a valid question to pose and it is the case that proceedings are not instigated in the expectation that the attackers will necessarily comply with the court's order.
However, even if the attackers themselves do not comply, the existence of an injunction may render it more difficult for the attackers to follow through on threats to publish the information elsewhere. Where the data has been published on third party websites by the attackers, the injunction may be relied upon to seek the removal of the data from such websites (although that of course depends on the third party website respecting an order made by the English court). And the fact the organisation is prepared to go to court may serve as a disincentive for the attackers to continue the attack or conduct future attacks against the organisation. However, an equally important reason for pursuing court action is the reputational purpose; principally, the desire to show to any affected individuals, commercial partners, stakeholders and regulators that the organisation is doing everything it can to combat the nefarious activities of the attackers. This is in itself may be sufficient justification for applying to the court, and is often a key consideration for law firms and other professional services providers who are subject to an attack and whose client data is put at risk.
How do the court proceedings work?
Upon receipt of an anonymous ransom demand, the company (the claimant) will apply urgently to the court seeking an interim injunction. The legal basis for the claim will invariably be breach of confidence. The requirements for such an action are that the information has the necessary quality of confidence, the circumstances give rise to an obligation of confidence and there is actual or threatened unauthorised use of the information. These requirements will almost always be met in a ransomware (or other cyber blackmail) scenario, where there has been unauthorised access to a company's systems and to their proprietary information. Notably, the affected organisation will not be basing their claim on breach of data protection legislation or misuse of private information, since such claims are the domain of individuals only. Questions about whether a claimant has any basis for bringing such claims on behalf of the affected individuals need not be tested as the claim for breach of confidence should give the claimant the basis for all of the relief it needs. It is best to keep the application for relief as simple and straightforward as possible rather than try to wrap it in multiple, overlapping but only arguable causes of action.
Such attacks are of course always conducted anonymously, but the English courts allow claims to be brought against "Persons Unknown", provided there is a means of bringing the claim to their attention. In circumstances where the attackers make contact through a website or anonymous email address, the court will readily permit service on the attackers through whichever of those methods is used. This enables the claim to proceed despite the fact the identity of the attackers is (and will almost certainly remain) unknown.
Once an interim injunction has been obtained from the court, the claimant will be expected to pursue the action. The usual sequence is that the attackers do not engage in the claim or offer any kind of defence. The claimant is then left with two options: either an application for default judgment on the grounds that the defendant (ie the attackers) has not responded to the claim within the required timeframe under the Civil Procedure Rules or summary judgment on the basis that the defendant has no real prospect of successfully defending the claim. Either course of action leads to an early resolution of the claim, and the aim is invariably a final injunction (there being no realistic prospect of recovering damages). The default judgment approach is arguably more straightforward in that it relies solely on the defendant's failure to respond to the claim. However, claimants (as in the case of XXX v Persons Unknown) might on occasion prefer to pursue summary judgment because it involves an assessment of the merits of the case (or rather, the lack of merit to a ransomware attacker's position). That can be important in some jurisdictions to persuade those hosting the stolen data to take it down and / or return it.
Can a claim be brought anonymously and what other steps can be taken to ensure privacy?
Ransomware attacks and other forms of data security breach often enter the public domain because the affected organisation takes the decision (and may be legally required) to contact individuals that are or might be affected by the compromise of data. There may also be wider reputational considerations in seeking to be transparent. In such cases, anonymous court proceedings would be unrealistic and at odds with the wider strategy.
Nevertheless, there may be some cases where the organisation wishes to seek to protect its information without disclosing the existence of the attack. This was the case in XXX v Persons Unknown [2022] EWHC 2776 (KB), where the claimant company was involved in security-sensitive projects and highly classified projects of national significance for well-known clients. Much of the work it conducted was covered by the Official Secrets Act. The court determined that evidence showed that, if the claimant's identity was made known, there was a real danger that "malicious persons, including hostile nation states, organised criminal groups and terrorist organisations" would exploit the information by seeking the material stolen in the ransomware attack.
This was unquestionably an exceptional case based on the specific circumstances of the claimant's work. Generally, the court must only order that the identity of a person (including a corporate entity) shall not be disclosed if it considers this necessary to secure the proper administration of justice or to protect the interests of that person. The mere fact of negative commercial and / or reputational consequences will not be sufficient, and it will ordinarily be the case that the identity of the claimant is made public by the court proceedings. Blackmail cases are different and, certainly where the threat is to disclose improper conduct or private material, courts will frequently grant anonymity. However, the court in XXX distinguished ransomware attack cases from threats to publish improper conduct, and there have been many cyber attack cases where the claimant's identity is disclosed. As noted above, in some cases there may be reputational reasons for bringing the proceedings openly.
Even where the identity of the claimant is public, the court will be anxious to prevent the specific information stolen by the attackers from being disclosed publicly. That would obviously defeat the entire purpose of the application for an injunction. This can be done by the court ordering any hearing (or part of a hearing) to take place in private, restricting access to documents and permitting the initial injunction application to be made without notice to the attackers (given the obvious risks in putting them on notice before the court has made an order).
In summary, while the courts will place great emphasis on the principle of open justice, they will also be conscious of not doing anything that might facilitate the activities and threats of the attackers.
Conclusion
While litigation against the attackers may not be the first thought on every organisation's mind, there are often good practical and other reasons for seeking the courts' assistance. Remedies can be urgently obtained (an interim injunction can often be applied for and obtained the same day) and the process, while unlikely to be entirely private, may provide significant assistance in ensuring the protection of the stolen data.
If you require further information about anything covered in this briefing, please contact Thomas Rudkin or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, February 2023