UK High Court Approves Freezing Injunction on $1M Ransomware Payment

The UK High Court of Justice approved a freezing injunction on over $1 million paid by an English insurance company to ransomware actors. The Honorable Mr. Justice Bryan announced his approved judgement in a decision released for publication by the High Court of Justice on January 17, 2020. As relayed in the judgement, a Canadian insurance company suffered a ransomware infection in the fall of 2019 when malicious actors slipped past its security defenses and encrypted its systems using BitPaymer. They then dropped a ransom note on the encrypted systems. This message read as follows:

Hello [insured customer] your network was hacked and encrypted. No free decryption software is available on the web. Email us at […] to get the ransom amount. Keep our contact safe. Disclosure can lead to impossibility of decryption. Please use your company name as the email subject.

The Canadian insurance company was insured by an English insurance company against digital crime at the time of the attack. This English firm instructed an incident response company to negotiate on behalf of its customer with those attackers who posted their ransom demands. Through these negotiations, the parties eventually agreed to a deal in which the English insurance company sent 109.25 bitcoin (worth approximately 1,017,500 USD at the time of writing) over to the attackers. Those individuals, in turn, sent over a decryption tool that the Canadian insurance company used to restore its systems. This process took five days for the company to restore 20 servers and 10 days to recover 1,000 desktop computers. The United Kingdom's High Court of Justice The incident didn't end there, however. The English insurance company conducted an investigation into where its bitcoin payment had gone. Its efforts revealed that the ransomware actors had deposited about 96 bitcoins into an unknown individual's address linked to Bitfinex, a cryptocurrency exchange operated by iFINEX and BFXWW INC. This company subsequently filed an application against the initial ransomware actors, the individual in possession of the 96 bitcoins, iFINEX and BFXWW for the purpose on placing a freezing injunction against the majority of its ransom payment. The Honorable Mr. Justice Bryan approved this request. Subsequently, New Money Review asked Bitfiniex whether it had complied with the court order. The exchange did not respond concerning the state of the bitcoins in question, but in a written statement, it indicated that it "has robust systems in place to allow it to assist law enforcement authorities and litigants in cases such as this.” Reflecting on the case above, Tripwire's Irfahn Khimji noted that the Canadian company should inform its customers and take the necessary precautions to protect its customers from repercussions. He also drew attention to the need for greater visibility into organizations' digital security efforts:

The cyber security industry needs to adopt a guiding set of principles, such as the Top 20 Critical Security Controls from the Centre for Internet Security, so that there can be a consistent measure to identify if organizations are, in fact, deploying adequate cybersecurity controls. Many organizations fail to invest an adequate amount of people, process, and technology to their cybersecurity programs which results in large scale data breaches and ransomware attacks. Organizations will be attacked. However, with adequate controls, the attacks can be contained and damage minimized. In this incident, the cyber insurance covered the cost of the ransomware payment, but there are still additional costs to be considered by the organization, such as customer identity protection, brand reputation, share price, etc.

Lastly, Khimji highlighted the importance of organizations having regular offline backups as a means to quickly recover their systems in the event of a ransomware attack. Organizations can further protect themselves by following these ransomware prevention tips.