Menu Search through site content What are you looking for?
Menu

Ransomware - sometimes it makes sense to pay a cyber-criminal

Client Case Study

Nobody likes the idea of paying a ransom to a cyber-criminal, but for some organisations it is – commercially – the lesser of two evils. Here is how Clyde & Co helped one company in the insurance industry navigate the perilous waters of ransom payments.

 

Problem

It was a bit like the story of the cobblers who are so busy making shoes for other people that they forget to make shoes for their own children. For one UK insurance company finding itself the victim of a cyber-attack was bad enough, but the fact that they couldn’t recover the stolen data easily or quickly via their back-ups – unless they paid a ransom – was far worse.

“Deciding to pay a ransom is a difficult and uncomfortable position to find oneself in,” says Madeleine Shanks, Associate and cyber-crime expert at Clyde & Co. “There is the tension of wanting immediate decryption and access to your systems, coupled with the uncertainty as to whether paying the ransom will actually yield the desired result. In this case, with the company’s operations paralysed and the ransom demand large – but not ruinous – the company decided to pay the ransom in order to regain access their systems.”

 

  • Stolen data: They couldn’t recover the stolen data easily or quickly via their back-ups – unless they paid a ransom which was far worse
  • Damage control: In this case, with the company’s operations paralysed and the ransom demand large – but not ruinous – the company decided to pay the ransom
  • Prevention: Our IT specialists were able to recommend measures to make the company’s systems more resilient against cyber-attacks in the future
  • Data restored: All the data that the client wanted restored was safely and fully returned

Solution

Clyde & Co was brought in to advise the company on several levels. In the UK it is illegal to pay money to anyone that is, or has links to, a person or group that are under UK sanctions, (for acts of terrorism, for example).  To pay such a person or entity would mean a criminal action against the company, and so the response team advised on the legality of the payment. Its specialists conducted their due diligence to determine whether the cyber attacker had known links to any sanctioned or restricted terrorist or well-known criminal/state organizations. In this case there were none, and the advice given was that there were no known restrictions that would prohibit paying the ransom.

The next complication was managing the actual payment. “Handing over the money is not done with used notes in suitcases at midnight, or so easy as writing a cheque,” says Madeleine. “Nowadays cyber attackers insist on the anonymity of Bitcoin payments, a cryptocurrency that can be difficult to trace. We used a trusted vendor who could facilitate payment securely and arrange for the payment to be made within a very short timeframe.”

While this was going on IT experts helped with a forensic search of the company’s systems to assess the damage. The practice also quickly notified the UK’s data protection regulator and the Financial Conduct Authority, all within the relevant regulatory timeframes. Finally, Clyde & Co advised on how best to communicate this incident to the company's stakeholders and clients, thereby managing the narrative and mitigating any adverse reaction to the incident.

 

Outcome

With the help of the response team’s specialist ransomware negotiator, the client was able to reduce the original ransom demand by 50%. The negotiator was also able to obtain a decryption key sample, where a portion of the stolen data was returned, proving that the cyber attacker had the means to return the information. This technique reduces the risk of paying the full ransomware demand but not having the company's systems subsequently restored. In this case, all the data that the client wanted restored was safely and fully returned.

The other parts of the story ended equally successfully. “The data protection regulator, for instance, closed its file without questions,” concludes Madeleine.

Our IT specialists were able to recommend measures to make the company’s systems more resilient against cyber-attacks in the future.

Madeleine Shanks, Associate

Key Contacts

Helen Bourne
Helen Bourne

Partner

Rosehana Amin
Rosehana Amin

Senior Associate

Madeleine Shanks
Madeleine Shanks

Associate

Related Client Case Studies

Cyber simulations - forewarned is forearmed

Cyber simulations - forewarned is forearmed

Fast fashion cyber fraud

Fast fashion cyber fraud

Cyber team helps global company retrieve stolen data

Cyber team helps global company retrieve stolen data