Cybersecurity: A Promising Restitution Order

A cybersecurity incident or a data breach typically has significant financial, operational, and reputational repercussions on victim organizations.

Given their increasing sophistication and skyrocketing numbers, these incidents are also increasingly more costly for cyber insurers, with expenses such as remediation costs and ransom demands having continuously grown in the past years. 

In addition, the increasing complexity of multi-stage attacks carried out across multiple jurisdictions can create serious difficulties for attribution. Even when identified with confidence, threat actors responsible for the attacks can be operating outside of our borders, sometimes in permissive environments. To date, they have rarely been brought to justice, however a recent decision gives cause for optimism for victims and their insurers.

On February 1, 2022, in one of the first judgments of its kind (and likely the first of this scale) in Canada, the Ontario Court of Justice ordered a Canadian citizen residing in the National Capital Region to make restitution to victims.  

The defendant Sebastien Vachon-Desjardins was a prolific affiliate of the NetWalker ransomware cybercrime group. As described by the court, “NetWalker was a group dedicated to creating data-theft-for-ransom software and attack strategies that shared its capabilities with cyber threat actors on a split-fee basis. Affiliates were individuals who carried out these data thefts, extorted their victims, and shared up to 20% of the ransoms paid with NetWalker developers.” Ransomware is a form of malware designed to encrypt files on a victim’s device, allowing attackers to demand a ransom payment, typically in virtual currency, in exchange for decryption. Organized cybercrime groups such as Netwalker, which operate with a “ransomware as a service” model, franchise their capabilities to interested attackers who become their affiliates, making it easier for them to carry out sophisticated ransomware attacks without having to develop their own ransomware variant. Furthermore, using data theft in addition to encryption is a method of “double extortion.” Even where an organization has viable backups to recover its data, it also faces the threat of having their information leaked or sold online.

The defendant was arrested in January 2021 as a result of the joint efforts of the RCMP and the FBI. The Canadian authorities, alerted by the FBI, were ultimately able to identify him “based on internet protocol addresses, data gleaned from U.S. investigations into various Apple, Google, Microsoft, and Mega.nz accounts, aliases, email addresses, and personal information revealed on social media platforms.”

Following his arrest, the defendant cooperated with the RCMP and gave a statement detailing his criminal activities involving Canadian victims. He admitted that he was implicated in 17 ransomware attacks that caused millions in damages in Canada, even without taking into account the unquantifiable commercial, competitive, and reputational losses to the victims. The RCMP was able to seize cash of over one million dollars from the defendant’s home and his bank accounts, in addition to 720 Bitcoins (worth over $34.5 million at the time of sentencing). The defendant pleaded guilty to five counts of offences, including mischief and theft of computer data, extortion, the payment of cryptocurrency ransoms and participating in the activities of a criminal organization and was sentenced to seven years in prison.

The court ordered that the amounts seized from the defendant be used as restitution payments made out to the organizations that were victims of his actions. Some of the victims' insurers will also receive restitution for indemnification payments made to their insureds.

While only a few of the thousands of ransomware victims in Canada are receiving restitution, this case nevertheless represents good news for organizations and their insurers as law enforcement has proven its ability to identify the responsible threat actor, making it possible to obtain a criminal conviction and restitution. Until recent years, law enforcement was typically less involved in cyber incidents. This case illustrates progress in this area and how vital law enforcement's efforts are for victims and their insurers. While they remain the exception at this time, there are increasingly more success stories for law enforcement, such as the tracing and seizure of the ransom payment made in cryptocurrency in a recent well-publicized attack on critical infrastructure.

The case further illustrates the importance of international cooperation and information exchange in law enforcement against the threat of ransomware. Cyberattacks know no borders, which is why international law enforcement efforts are crucial to identifying and apprehending cybercriminals, seizing their profits and holding them accountable, ultimately leading to disrupting the cybercrime ecosystem. 

Cyber insurers have increasingly been able to educate insureds, incentivize improved cyber security practices, encourage cooperation with law enforcement as well as enhance their own information sharing efforts with law enforcement which can be expected to lead to more success stories. 

Finally, it is important to note that the Canadian Centre for Cyber Security has recently warned the Canadian cybersecurity community, and especially critical infrastructure network defenders, to bolster their awareness of and protection against Russian state-sponsored cyber threats. Given the fast-evolving situation with respect to global sanction measures on Russia, organizations facing a potential ransom payment to a threat actor and their insurers must be all the more vigilant in their due diligence and sanction checks.