“Your company’s servers are hacked…
I offer you a simple deal. All future business of the company depends upon this deal…
(1) To pay. I delete all the data…
(2) Not to pay. And in this case, I publish all information in public.
The cost is 300,000 (three hundred thousand Great British Pounds) paid via Bitcoin. Deadline – 2 weeks.”
These are extracts from an email sent a few weeks ago, to blackmail a company in the UK. The email appeared in a recent High Court judgment as the company took the fight to the cyber-criminals.
The case (PML v Persons Unknown) shows the steps that the English Courts are willing to take to help victims of ransomware. Victims are sometimes reluctant to seek relief from the Court, such as injunctions prohibiting disclosure of stolen data, because they don’t want to spend money on obtaining a Court order that they think an anonymous hacker is unlikely to comply with. However, the more cases we see like PML – and another case which I will discuss in my next blog post – the more we’ll see a shift in this reticence.
In PML, the hacker gave the company two weeks to pay a ransom of £300,000. The hacker sent the company details of a website which was hosting some of the stolen documents, together with login and password details, so the company could verify the hack.
The company played for time and in that time it was able to obtain an ex parte injunction from the Court for delivery up and/or destruction of the stolen data. To protect the company, the Court restricted access to the Court file and the hacker was not given notice of the application (for fear that it would publish the information). The Court even anonymised the company’s identity.
When the company served the injunction order on the hacker (by replying to the threatening email), the hacker responded “you made [your] choice, I make my own. On Monday the information will be published. Good luck”. The hacker then removed the password protection from the website hosting some of the stolen documents.
However, in parallel with obtaining the injunction, the company had discovered that the website host was based in a European country. So the company had also obtained an order from the court in that country, and it served the order on the website host at the same time that it served the injunction order on the hacker. Complying with the order, the host blocked all access to the website.
In response, the hacker began posting stolen information on other websites. The company served copies of the injunction order on the hosts and operators of those websites and the information was quickly taken down. Within a couple of weeks, the hacker had reduced its ransom to £100,000. At the time of the hearing (11 April 2018) the company had received no further communication from the hacker. At the hearing itself, the Court granted the company a continuation of the injunction.
It’s not known what damage would have been caused if the stolen information had been widely disseminated. But for now at least, it would appear that going to Court paid off for the company.
The Court helped the company by granting pragmatic solutions to protect the company’s identity and frustrate the hacker’s plans. For some hackers, this might be enough to make them move on to an easier target. Certainly, a victim and its customers, shareholders, employees and regulators would all be pleased with that outcome.
In these situations, Courts are also willing to take significant steps to protect the claimant’s identity and confidential information. This may also lead to more ransomware victims seeking the Court’s help – more on that in my next blog post.