Search and find what you need faster.

Archive for the ‘Uncategorized’ Category

Lawrence Stephens Partners with Churchill’s Boxing Gym to Launch Free Boxing Law Clinic

Posted on: June 24th, 2025 by Ella Darnell

Lawrence Stephens are proud to announce a collaboration with Churchill’s Boxing Gym to launch a dedicated Boxing Law Clinic, providing pro-bono legal support tailored specifically for athletes in the fight game.

Hosted at the heart of the gym, the Boxing Law Clinic will offer fighters direct access to free legal appointments with our experienced professionals. Whether it’s reviewing promotional contracts, understanding a bout agreement, resolving a dispute, or discussing career moves, the clinic is designed to deliver efficient and accessible legal advice when fighters need it most.

This initiative is part of Lawrence Stephens’ ongoing commitment to empowering athletes with the knowledge and confidence to navigate the business side of boxing, and to take control of their careers, both inside and outside of the ring.

Commenting on the Boxing Law Clinic, Sports and Entertainment associate Angelique Richardson adds:

”Fighters shouldn’t have to step inside the ring without knowing their rights outside of it. Together with Churchill’s Boxing Gym, we’re creating a space where fighters can get the advice they need to take control of their careers.”

Samm Mullins, the owner of Churchill’s Boxing Gym, says:

”We’re really proud to be partnering with Lawrence Stephens on this Boxing Law Clinic. They work with a number of fighters already and really understand the boxing world — not just from a legal perspective, but from a fighter’s point of view too. This clinic is a great opportunity for our boxing community to get proper advice from people who genuinely know their stuff.”

The first clinic will take place on Monday 30 June, with 45-minute appointments available from 10am. Appointments are free, but limited — clients will be asked to book an appointment and complete a short questionnaire in advance. For prospective clients, please email sportsandentertainment@lawstep.co.uk or text/call 07510 931301 to request your questionnaire and confirm your appointment.

Lawrence Stephens Advises Kaleidex Group on its Acquisition of OxDevice Ltd

Posted on: June 18th, 2025 by Ella Darnell

Lucy Cadley led a cross-disciplinary team from Lawrence Stephens alongside overseeing director Katherine Zangana and was closely supported by Avni PatelBecci CollinsLeigh Sayliss and Craig Mullen in advising Kaleidex Group, an Ansor portfolio company, on its acquisition of OxDevice Ltd.

Kaleidex, backed by private equity firm Ansor, acquires and integrates high-performing medical manufacturing companies, building a network of expertise and innovation to drive industry advancements. This strategic acquisition of OxDevice, a precision engineering and manufacturing company based in Abingdon, Oxfordshire, is Kaleidex’s third acquisition and expansion into the rapidly growing neurovascular and endovascular device sectors.

The transaction demonstrates our collaborative and commercial approach, bringing together expertise from our Corporate & Commercial, Real Estate, Employment and Tax teams to deliver a seamless service tailored to the need for an integrated approach towards complex corporate matters.

Commenting on the deal, Lucy said:
Delivering this transaction was a fantastic example of what Lawrence Stephens does best, working closely across departments and alongside our client’s leadership team to deliver pragmatic, forward-thinking advice that helps clients scale their businesses with confidence

Lawrence Stephens advises Kaleidex Group on its acquisition of Denis Limited and Oracle Precision Limited

Posted on: June 18th, 2025 by Ella Darnell

Isobel Moran led a cross-functional team from Lawrence Stephens, along with overseeing director Katherine Zangana, supported by Avni PatelEwan Ooi and Craig Mullen, to advise Kaleidex Group (an Ansor portfolio company) on its acquisition of Densis Limited and its wholly owned trading subsidiary, Oracle Precision Limited.

The transaction highlights our commercial and collaborative ethos, with expertise drawn from our Corporate & Commercial and Commercial Real Estate teams to deliver a seamless and integrated service tailored to the fast-paced demands of SME acquisitions in the medical manufacturing sector.

This was Kaleidex Group’s second successful acquisition, completed within just three months of instruction. The swift execution of the deal further strengthens our client’s strategic growth trajectory in the precision engineering space—supporting the development of critical components for the medical industry.

Commenting on the deal, Katherine said:
This was a great example of how our team brings together technical expertise and insight to help our client’s complete transactions quickly and decisively. It’s always a pleasure to support their growth journeys with another successful acquisition.”

How toxic masculinity can be harmful for businesses

Posted on: June 11th, 2025 by Natasha Cox

Senior Associate Emma Cocker discusses how toxic masculinity is increasingly infiltrating the workplace, with legal and cultural consequences for both employees and employers, in People Management. 

Emma’s article was published in People Management, 10 June 2025.

Toxic masculinity: a hidden cost to employers?

Following the huge success of recent Netflix drama Adolescence, the issue of toxic masculinity has been the subject of much debate. The prime minister has admitted to being worried about toxic behaviour on social media influencing young men, telling the BBC that the UK “may have a problem with boys and young men that we need to address”. Former England football manager Sir Gareth Southgate also recently aired his thoughts in a BBC lecture in which he said “toxic influencers… tricky young men”.

While discussions on this topic have so far focused on the impact of toxic masculinity generally, it is important to recognise the specific workplace challenges that are becoming more prevalent as a result of the corrosive impact of social media and misogynist influencers such as Andrew Tate.

Workplaces are increasingly reporting a subculture of negative behaviours rooted in out-of-date, and often harmful, masculine values. An overabundance of these traditional masculine norms can lead to behaviours including excessive aggression, emotional repression and a constant need to prove dominance. These behaviours can manifest in negative workplace practices; for example, a long-hours, ‘work first’ culture that prioritises work over personal or family life and individual wellbeing. Equally, overly competitive behaviour – such as a focus on winning at all costs, often at the expense of others – can have a negative impact on teamwork, collaboration and innovation. Diversity, inclusion, a healthy work-life balance and employee wellbeing also invariably tend to suffer. Instances of bullying may also increase in workplaces particularly prone to toxic masculinity.

These negative effects are being fuelled by the mandated scrapping of EDI programmes through a series of executive orders issued by President Trump. Across corporate America, EDI is now in sharp retreat with companies as diverse as IBM, Warner Bros, Coca-Cola, Goldman Sachs, McDonald’s and Amazon having scrapped, scaled back or renamed their EDI programmes.

Given that these are large, multinational companies, and many others like them have taken similar steps, the threat to EDI programmes in the UK is significant. While according to a recent survey by the Institute of Directors, 71 per cent of business leaders have no plans to alter their organisation’s approach to EDI following the scaling back of programmes in the US, that still leaves 29 per cent that might.

There are clearly other factors beyond Trump’s anti-EDI agenda affecting the UK’s position, not least the gender pay gap, which has remained stubbornly high. However, the negative effects of toxic masculinity on workplace culture should not be underestimated. As a consequence of the growth of toxic masculinity, businesses face increasing levels of risk, including the risk of legal claims by employees who have been subject to discrimination or harassment because of their sex. Fostering, or even just tolerating, a work environment that is hostile to women can violate employment law. Where successful, legal action against employers can result in costly settlements or awards of damages, as well as reputational damage to the organisation and a knock-on effect on employee morale.

Sensible organisations will heed warnings about toxic masculinity and take steps to mitigate these risks. These steps mostly come down to common sense and include having robust EDI policies, comprehensive training on appropriate workplace behaviours and a resolute commitment to challenging harmful workplace behaviours whenever they appear. However, where a workplace is already seeing significant negative consequences of allowing a toxic culture to persist, more drastic actions, such as disciplinary investigations, may be necessary. 

For further information on our employment services, please click here.

Lawrence Stephens Advises on Landmark Cotswolds Pub Acquisition for Redevelopment

Posted on: June 11th, 2025 by Alanah Lenten

Bradley Lee and Charlotte Hamilton from our Corporate team, alongside Angela McCarthy and Nick Marshall from the Commercial Real Estate team, have advised Rafic Said on the acquisition of the entire issued share capital of The Cotswold Cock Inn Ltd, a corporate structure used to acquire the company’s principal asset: a characterful pub in the Cotswolds.

With planning permission already in place, Rafic intends to redevelop and re-open the pub, breathing new life into the site and bringing a new hospitality offering to the area.

The transaction highlights the strength of Lawrence Stephens’ collaborative, cross-disciplinary approach. By structuring the deal through a corporate acquisition, the team was able to deliver an efficient solution that balanced both commercial and legal priorities, while unlocking real value for the client.

Bradley Lee commented:
“This is an example of where Lawrence Stephens flourishes, combining our Corporate and Commercial Real Estate expertise to work seamlessly as a team and help our clients realise their ambitions.”

Rafic Said added:
“Lawrence Stephens were exceptional throughout, commercially astute, approachable, and solutions-focused. Their expertise gave me real confidence at every stage of the process.”

For more information on our Corporate and Commercial services, click here

Lawrence Stephens welcomes Director, Laura Brown as a key addition to Real Estate Finance team

Posted on: June 3rd, 2025 by zhewison

Laura brings over 11 years of experience as a finance lawyer, specialising in real estate finance. She advises lenders on a broad range of transactions, including senior and mezzanine financing for commercial and residential property development, investment acquisitions, refinancing, and portfolio financing.

Her deep sector knowledge, commercial insight, and strong client relationships significantly enhance our finance capabilities and expand our reach in the market.

Laura Brown said: “I am thrilled to join Lawrence Stephens at an exciting time in the firm’s growth. It is an honour to work alongside such a talented team, including my long-standing colleague and friend, Steve Clinning. I am passionate about the delivery of excellence and exceptional client service, and I am eager to build upon the firm’s legacy.”

Ann Ebberson, Director and Head of Real Estate Finance as Lawrence Stephens said: “I’m delighted to welcome Laura to Lawrence Stephens and our Real Estate Finance team. She brings a wealth of industry expertise and a portfolio of exceptional clients, significantly strengthening our real estate finance capabilities and commercial reach. These are exciting times for the firm, and Laura’s arrival marks another step forward in our continued growth.”

Lawrence Stephens advises Salomon on store at Battersea Power Station

Posted on: June 3rd, 2025 by zhewison

Nickhil Mandora, Director at Lawrence Stephens, has advised Salomon on their latest UK store at Battersea Power Station. This is the third UK store Salomon has opened in the past year, with Nickhil advising on all lettings.

Founded in 1947 in the French Alps, Salomon is an outdoor brand creating high-performance gear for running, hiking, skiing, and adventure. The Battersea Power Station store will be focused on footwear, offering a collection of sport-style, running, and hiking shoes.

This letting solidifies Battersea Power Station’s status as an iconic and desirable shopping destination, home to lifestyle brands favoured by consumers.

Nickhil Mandora: “We are delighted to assist Salomon on their latest UK retail space in the iconic Battersea Power Station, marking a hat trick of stores in the capital for the brand. Salomon have been consistently innovating not only the products they offer but the services provided in-store and we are excited to continue our partnership with them”.

For more information on our services and expertise in the commercial real estate sector, please click here.

How to protect your crypto assets

Posted on: May 30th, 2025 by Natasha Cox

Director and Head of Blockchain and Digital Assets, Matt Green, comments on the recent series of attempted kidnappings of crypto entrepreneurs and discusses how to best protect assets stored on the blockchain, in The Next Web.

Matt’s comments were published in The Next Web, 29 May 2025, and can be found here.

“Despite the industry pining for decentralisation, much of the data points towards identifiable individuals with either massive wealth or access to third parties’ wealth. Simple blockchain analytics openly identifies addresses holding fortunes, and once those addresses are associated with named individuals (data triaging and clustering can unmask a pseudonymised  address), then criminals can see very clearly that a person holds significant wealth. Imagine your bank balances are posted online and through analysing open source data, the world can see it’s your account.

“In terms of crypto holders, the only thing stopping criminals gaining access is human error or force so kidnapping aims to break down the integrity of that human led security.

“The nature of blockchains means balances and addresses are public. In the same way van stickers read “no tools are kept in this vehicle”, it might be worth making a conscious effort to show a single person under duress is incapable of giving access to crypto holdings. Having clear statements about Multi-Sigs (Multi-Signature wallets) would likely deter kidnappers, who would have to pursue multiple individuals to make gains.”  

To out more about our work on blockchain, crypto and digital assets, please click here

The legal definition of ‘sex’ and its impact on employer obligations and employee benefits

Posted on: May 29th, 2025 by Natasha Cox

Senior Associate Emma Cocker explores the recent Supreme Court ruling on the definition of ‘sex’, and discusses how this ruling will impact employers’ obligations under the Equality Act 2010, in REBA.

Emma’s article was published in Reward and Employee Benefits Association (REBA), 29 May 2025.

In April, the landmark Supreme Court case of For Women Scotland v The Scottish Ministers held that ‘sex’ within the Equality Act 2010 refers exclusively to biological sex. Though this judgment did not create new law, it has fiercely reignited tensions regarding the interplay between the rights of trans people and those of biological men and women. In particular, the divide between supporters of trans rights who believe a person’s sex can be changed, and those with ‘gender critical’ beliefs who believe that sex is biological and immutable.

There has been a significant amount of online misinformation about the implications of the judgment, particularly with regards to the workplace. However, the law today is the same as it was before the clarificatory judgment, with discrimination against trans people for reasons relating to gender reassignment and discrimination against those holding ‘gender critical’ beliefs being unlawful. Yet, because of the misrepresentation of the law on this highly emotive topic, many organisations are confused and fearful of falling foul of their employment law obligations.

So, what should employers be doing in light of the judgment?

Firstly, inclusion is for everyone and there is nothing discriminatory in recognising that the protected characteristics of sex and gender reassignment relate to groups that have different needs and vulnerabilities. Making toilets and changing rooms ‘gender neutral’ with no single sex provision will breach workplace health and safety legislation, as recognised by the Equality and Human Rights Commission’s interim guidance[1]. It may be tempting to take situations on a case-by-case basis, but this could lead to employment tribunal claims by workers who expect to be able to access single sex spaces for reasons of privacy and dignity.

It is also recommended that employers review their policies and training to assess and act on the risk that what they currently have is unlawful. Policies and training not based on the Equality Act 2010’s definition of sex are likely to result in unlawful conduct for which employers may be sued in the employment tribunal.

In relation to employee benefits, it is normally prudent for employers to ensure equal access for all, however this general rule should be qualified by the intended purpose of the benefit. For example, it would be difficult for employers to justify providing death in service benefits at unequal levels between trans and non-trans people. It would not normally be advisable to provide benefits exclusively for trans workers, though support geared towards those with gender dysphoria or transitioning individuals need not be excluded.

However, there will be situations in which benefits ought not to be offered equally. Providing group-based menopause support to a cohort including transwomen could, for instance, lead to claims of sex-based discrimination or harassment and would offer little benefit to transwomen who will not experience menopause.

If there is any difference in the benefits provided to men and women, they should be provided to employees based on their biological sex. For example, if an employer chooses to offer IVF or other ‘family building’ support, it should be made available to all staff. However, it would not be discriminatory to provide women with more paid leave than transwomen, in recognition of the physical impact of fertility treatments on women.

While some will say this is ‘new’ or ‘developing’ law, that is not the case. In order to remain compliant with the Equality Act 2010 and avoid claims of harassment and discrimination, employers must apply commonsense when considering the purpose for which employee benefits are provided, and the impact of blindly applying a blanket ‘equality rule’.

For more information on our employment services, please go here

[1] An interim update on the practical implications of the UK Supreme Court judgment | EHRC

Matt Green co-authors article on crypto-asset recovery for Oxford Law Pro’s Expert Essentials, Oxford University Press

Posted on: May 28th, 2025 by Natasha Cox

Writing for peer reviewed Oxford Law Pro’s Expert Essentials, Head of Blockchain and Digital Assets Matt Green and Outer Temple Chambers’ barrister Henry Reid provide a practical guide on the recovery of misappropriated crypto-assets.

Matt and Henry’s article was published in Oxford Law Pro, 14 May 2025, and can be found here.

Following the $1m loss of the stablecoin Tether, Matt and Henry explore the practical issues of asset recovery – including the use of blockchain analytics reports, dealing with crypto exchanges and pursuing persons unknown – as well as the legal considerations.

The article begins by discussing an example of a scam in which the claimants transfer one million Tether to persons unknown, considering the movement of these assets across the blockchain and their subsequent deposit at crypto exchanges. 

Matt and Henry then analyse the viability of potential legal proceedings, discussing potential routes to recover the misappropriated assets, and outline how to approach cryptocurrency exchanges at a pre-action stage.

Their article concludes with a narrative on preparing an ex parte application against these persons unknown, as well as seeking a worldwide freezing injunction to prevent the dissipation of the stolen crypto and seeking disclosure from the crypto exchanges to identify customers who have received the traceable proceeds.

Dominic Holden discusses proposed ransomware ban in Law 360

Posted on: May 23rd, 2025 by Natasha Cox

Director Dominic Holden discusses the UK government’s proposals for a ransomware ban in Law 360.

Dominic’s article was published in Law 360, 22 May 2025, and can be found here. 

Ransomware ban move could push hackers to private sector

The government’s bid to crack down on ransomware payments could heap pressure on companies in crisis without any guarantee that it will pull the plug on the billion-pound cybercrime industry, lawyers say.

Proposals by the Home Office to ban public entities from making ransom payments and to require other bodies to consult with the authorities before they consider sending money to their attackers are intended to undermine the ransomware business model by making the U.K. a less profitable target.

But lawyers warn that the proposals, set out in a wide-ranging government consultation, appear to underestimate the opponents.

“Deceptively simple and undoubtedly well-intentioned, the proposal borders on the naive,” Julian Hayes, a partner at BCL Solicitors LLP said. “Even if it worked, it would simply drive ransomware attackers to softer targets.”

Ransomware pulled in more than £1 billion ($1.3 billion) from victims worldwide in 2023, according to the Home Office. It has become a lucrative source of cash for cybercriminals and state-sponsored actors able to infiltrate businesses and government agencies and take control of their networks and data.

Law enforcement agencies and the government see it as the biggest cyber risk facing businesses in Britain. But it is also perceived as a direct threat to national security because of the ability of criminals to shut down hospitals, energy suppliers and grocery chains.

The National Cyber Security Centre helped to manage 317 ransomware incidents in the 12 months to August 2024. They included 13 separate attacks deemed to be “nationally significant” that “posed serious harm to essential services or the wider economy.”

They include Russian hackers who stole private medical data in June 2024 in a ransomware attack on a medical testing company, Synnovis Services LLP, that disrupted London hospitals. And hackers demanded £600,000 from the British Library to prevent publication of stolen files, a demand it refused to pay, in October 2023.

What to do about the problem divides opinion. Some experts say that paying the ransom puts money in the pockets of organized crime, terrorists and sanctioned individuals — with no guarantee that the stolen data will be returned or services resumed. Paying helps to create a business model, encouraging more attacks.

Many organizations targeted do not pay. Most victims interviewed by the National Crime Agency said they did not want to reward their attackers.

But principles come at a cost.

Marks & Spencer the grocery and clothing chain, continues to lose money following a recent ransomware attack that has disrupted service and will cost it an estimated £300 million. And the Legal Aid Agency, which revealed in May that data dating back to 2010 had been stolen, warned anyone who had applied for legal support in criminal cases that they face the risk of being scammed.

But some companies see no other option. LockBit hackers hit Allen & Overy with a ransomware attack in 2023, but later retracted its threat to release the stolen data. Cyber-experts have interpreted this as a sign that A&O paid out to avoid sensitive client information from being released, although the firm never publicly commented.

Against this backdrop, the Home Office said in March that it was consulting on a range of proposals. They include a limited ban on publicly owned bodies and operators of critical national infrastructure making payments, mandatory reporting of all ransomware attacks by companies that meet thresholds and even approval by the government before they make any payment.

But lawyers warn that the proposals are risky. Payments are already widely viewed as the last resort, a drastic step for companies to take only when backup files restoring their operations fail or there is a risk that the stolen data is not encrypted.

James Longster, a partner in the technology and commercial transactions practice at Travers Smith LLP, said that private sector clients, particularly financial services firms, are concerned that putting restrictions on public-sector targets will simply push criminals to intensify their attacks on them.

“There isn’t a magic answer,” Longster said. “People want to do something because it’s a problem. It’s hard to work out exactly what that is.”

There was also doubt among observers about how the proposals would work in practice. When would companies, trying to get to grips with resuming service, be required to notify the government of the attack? How would a ban, if it was extended to the private sector, affect global companies in countries where there was no bar to payment?

The government has already introduced compulsory reporting of cyberattacks in the Cyber Security and Resilience Bill, which is making its way through Parliament. Victims would be required to report an incident only once. But lawyers say a lack of detail means it is unclear how the proposals would sit alongside existing notification requirements, potentially delaying payment during talks with authorities — and prolonging the disruption.

Business leaders fear the proposals might also lead to expensive red tape when they are already under pressure. Companies already face a race against the clock to disclose cyberattacks to their regulator, the Information Commissioner’s Office — and, potentially, to individuals if personal data was stolen.

Longster predicted that the ban on public sector bodies making payments might not make it into legislation if there was resistance during the consultation. But he said that the reporting obligations to the central government “could meaningfully turn the dial” by equipping law enforcement agencies with the best information possible.

Another proposal would require businesses to gain government clearance to ensure that money would not go to sanctioned individuals or terrorists. Christopher Whitehouse of Reynolds Porter Chamberlain LLP said that limited legislation introducing a reporting requirement – but not going as far as an outright ban – would be a good compromise.

“Save for those extreme cases, if there’s something companies could do to survive, but aren’t allowed, it’s going to be a tough sell,” Whitehouse said.

Britain would become one of few Western governments to introduce the ban – perhaps the only one – if it did so. Many countries have pledged not to pay ransomware, but none have actually made it illegal, even if it involves paying a sanctioned entity.

Some U.S. states have passed legislation banning public authorities from paying ransoms, but experts have warned that the results have been mixed.

Hayes of BCL Solicitors also said that the potential ban on government agencies making payments overlooks the fact that hackers, particularly those backed by hostile governments, are often more interested in causing chaos than making money.

Outlawing ransomware payments “risks making hostages of us all,” Hayes said.

“Such sophisticated threat actors are highly unlikely to surrender without a struggle,” Hayes continued. “Far from being deterred, such groups are more likely to fight tenaciously to protect their lucrative business models, with ‘big game’ ransomware groups intentionally targeting the U.K. essential services on which we all rely, both to break the government’s will and serve as a warning to like-minded countries not to follow suit.”

Some lawyers advocate for a more aggressive policy to help ensure that does not happen.

Dominic Holden of Lawrence Stephens said that hackers would look abroad if it was illegal for public and private sector entities to pay out.

Support for small and midsized businesses in the form of tax breaks or subsidized insurance premiums would also mean that the incentives to target the U.K. would vanish, Holden said.

“If the government is going to do this, I don’t think they should do it in half measures,” Holden said. “If you’re going to eradicate the problem, and disincentivize the hackers so they go overseas in jurisdictions where they can be paid, then grasp the nettle and ban all payments.”

Mark Jones, a partner at Paynes Hicks Beach LLP, said there were also concerns that the mandatory reporting requirement could then trigger regulatory scrutiny. The government would have to assure companies that the information would remain confidential if it wants to win support for legislation, Jones said.

“I would also hope to see measures to support those who are victims of ransomware, rather than simply add to the stress of the situation,” Jones added.

For more information on our cryptoassets expertise, please click here.

How to navigate the first 72 hours of a ransomware attack and recover ransoms paid in crypto

Posted on: May 23rd, 2025 by Alanah Lenten

Dominic and Asim’s article was published in Fraud Intelligence, 21 May 2025, and can be found here.

Discovering that you have been the victim of a ransomware attack can be reputationally and financially devastating to an organisation. However, when responding to an attack, the first 72-hours are critical. Quick and decisive action can help preserve evidence, while protecting assets and systems.

Cyber attacks vary in their potency and impact. A ransomware attack which locks down a company’s entire IT system is, of course, different from a more limited attack on a single device – an organisation’s response will therefore vary. However, notifying your insurers and the police, getting internal and external IT support on task immediately, while also notifying company staff should all be considered.

Where data is at risk, notifying the Information Commissioner and other regulators within 72 hours – as well as your customers – can also be necessary.

Should you pay the ransom?

Current guidance from the National Crime Agency is that they do not “encourage endorse nor condone the payment of ransom demands”. This is because there is no guarantee that you will get access to your data or computer, your computer may still be infected, you will be paying a criminal group, and you increase the likelihood that you (and others) may be targeted in the future.

However, in many cases, commercial victims of a ransomware attack can find themselves unable to continue their business operations whilst key systems remain compromised. This is the hacker’s leverage, that, there may come a point where continued business losses are unsustainable and paying a ransom to unlock their systems becomes an expense in mitigation.

Such ransom payments are often demanded in cryptocurrency and their payment can be covered by insurance. It is important that businesses check their policies to see whether this forms part of their cover.

How to prepare?

Given the number of moving parts involved in managing the aftermath after a ransomware event, it can quickly become overwhelming, unless robust and specific plans are already in place. Such ‘incident response plans’ should already be agreed and understood by the company’s leadership and those staff who will need to take action. Running simulations of how a business will cope during a ransomware attack is advisable (e.g. turning to paper processes in the short term and ensuring that all know what their roles are during an attack).

Backing up your systems on a regular basis and training staff  to recognise unusual behaviour or unexpected activity on their devices is critical – for example, phishing emails, unprompted windows opening up for split seconds, or excessive system resources being used when your device does not appear to be doing much. This can suggest that scammers have taken remote control of your device under the pretence of assisting you through services, like AnyDesk.

How to react?

While you are reacting to the consequences of the breach, you may simultaneously have to identify and fix the vulnerability, comply with legal and regulatory requirements, notify your insurers and provide comfort to your staff, customers and suppliers that matters are in hand. During this period, chaos can ensue, and mistakes can be made that could severely hamper any subsequent investigation.

Below are some key points to bear in mind during this initial period:

Preserve the evidence

The preservation of evidence is a key initial task, and leadership should strive to work with professionals to ensure that all system logs are retained. It is advisable to hire in digital forensics or organisations that specialise in dealing with cyberattacks –if you have good cyber insurance, this is something your insurer may provide.

Avoid formatting or performing factory resets at this stage. Evidence preservation is vital, particularly as forensic digital examination of your devices could yield critical information, instrumental in tracing and recovering the stolen assets.

If possible, take a full forensic image of the affected devices and work from backups (provided these have not also been compromised by the attack). You may need to buy fresh devices so that those affected can be preserved as evidence.

Your internal communications team may want to take on PR consultants to assist with crisis comms as the news breaks, if it is an attack with significant reputational implications.

Secure Your Communications

It may be wise to set up new, secure email addresses immediately and avoid logging into any accounts you suspect may have been compromised. You should consider how best to continue internal communications with secure channels being set up to action any critical messaging

It may be necessary to notify your bank and or other service providers of any new email address, or communication preferences, to ensure that no instructions are to be taken from the old email addresses.

In attacks where the victims have been socially engineered, one or more company email addresses or social media accounts may have been compromised. You should access the log-in history which details the IP address and location of all log-in attempts.

If there are any suspicious logins, it is likely that email addresses have been compromised, and your communications may be monitored or used by the scammers to gain further access. This could also impact other accounts, bank accounts and social media profiles.

It is vital that passwords are immediately changed and strengthened across the organisation.

Communicating with the Hackers

When the hackers reach out to demand a ransom payment from you ensure that they are unaware of the steps you are taking internally.

Ransom payment negotiators are available to assist with these negotiations to drive the ransom demanded down. This can also buy an organisation time if the hacker is threatening to publish the compromised data on the internet.

Make sure to collate a detailed record of all communications with the hackers, including requests for payments, emails, phone calls, text messages, social media interactions. If the ransom is paid in crypto, take a note of the transaction details, wallet addresses and transaction hashes etc.

If you have been directed to a webpage during your interactions with the hackers, you should ensure to take screenshots of these pages in case they disappear. Any evidence of what jurisdiction they may be in is also vital.

Accurate records are crucial for any subsequent legal action and investigations.

Recovering the ransom payment

If the ransom is paid in crypto, this could give you and your legal team time to investigate and trace the assets, write to any centralised exchanges who may be in receipt of those assets, and put them on notice of the theft and request that they freeze those accounts pending further legal action. It may also allow time for the necessary court orders to freeze assets to be granted and implemented. These steps, if taken quickly, can result in an organisation (or their insurer) recovering the ransom after it has been paid.

Your legal team will quickly be able to identify suitable independent blockchain tracing specialists who will be tasked with conducting an initial tracing report to follow the movement of your crypto assets and their traceable proceeds. You will need to provide proof that you owned the assets, as well as relevant transaction hashes or addresses as these will form the basis of asserting your proprietary claim to those assets, which is essential in recovering them.

Hackers typically seek to convert stolen crypto assets into cash, often using centralised exchanges as their off-ramp. The first step in any successful crypto asset recovery matter is identifying the exchanges used. Exchanges are subject to a degree of regulatory oversight and compliance mechanisms to satisfy the requirements of typically highly regulated banking entities.

Your legal team can place exchanges on notice that they have received the proceeds of crime and request they freeze the relevant accounts while also requesting disclosure of any onward transfers and withdrawals from that account to trace the stolen assets.

Report to Law Enforcement

The attack should be reported to the police and Action Fraud. Make sure you keep a copy of your report, as well as any crime reference numbers provided.

It is important that you engage with your local police force as much as possible and obtain a direct liaison and contact details. Try not to be discouraged or frustrated if the police cannot offer much help.

Police resources, expertise, and capacity to deal with cyber crime can vary considerably, and officers may lack immediate familiarity with the complexities involved.

Even if the police can’t provide much assistance, a formal report is important, as it creates an official record that supports other legal and recovery actions you may take and can also assist law enforcement in identifying patterns in criminal gangs to help others avoid falling victim.

Engage with Experts

Engaging promptly with specialist IT and legal advisors experienced in breach response is crucial to mitigate the fallout from the attack and limit business interruption.

Cyber experts should be able to quickly identify the areas of your system that have been affected, the extent of the breach and the data under threat, as well as devise a plan for bringing your systems back into operation. It may be possible to decrypt some of the compromised data without paying the ransom, or to restore your systems from backups.

Your legal team should work closely with these experts to ensure that your regulators are notified of the attack and kept abreast of developments. Your legal team may also need to review your company’s commercial agreements, to see if any termination or notification events are triggered as well as deal with any claims that might arise from your suppliers or customers as a result of the attack.

Conclusion

Careful advanced planning and swift and methodical action when an attack occurs can reduce stress, while also significantly limiting the damage a ransomware attack can cause to an organisation in the first 72 hours.