Search and find what you need faster.

Posts Tagged ‘ransomware’

Dominic Holden discusses proposed ransomware ban in Law 360

Posted on: May 23rd, 2025 by Natasha Cox

Director Dominic Holden discusses the UK government’s proposals for a ransomware ban in Law 360.

Dominic’s article was published in Law 360, 22 May 2025, and can be found here. 

Ransomware ban move could push hackers to private sector

The government’s bid to crack down on ransomware payments could heap pressure on companies in crisis without any guarantee that it will pull the plug on the billion-pound cybercrime industry, lawyers say.

Proposals by the Home Office to ban public entities from making ransom payments and to require other bodies to consult with the authorities before they consider sending money to their attackers are intended to undermine the ransomware business model by making the U.K. a less profitable target.

But lawyers warn that the proposals, set out in a wide-ranging government consultation, appear to underestimate the opponents.

“Deceptively simple and undoubtedly well-intentioned, the proposal borders on the naive,” Julian Hayes, a partner at BCL Solicitors LLP said. “Even if it worked, it would simply drive ransomware attackers to softer targets.”

Ransomware pulled in more than £1 billion ($1.3 billion) from victims worldwide in 2023, according to the Home Office. It has become a lucrative source of cash for cybercriminals and state-sponsored actors able to infiltrate businesses and government agencies and take control of their networks and data.

Law enforcement agencies and the government see it as the biggest cyber risk facing businesses in Britain. But it is also perceived as a direct threat to national security because of the ability of criminals to shut down hospitals, energy suppliers and grocery chains.

The National Cyber Security Centre helped to manage 317 ransomware incidents in the 12 months to August 2024. They included 13 separate attacks deemed to be “nationally significant” that “posed serious harm to essential services or the wider economy.”

They include Russian hackers who stole private medical data in June 2024 in a ransomware attack on a medical testing company, Synnovis Services LLP, that disrupted London hospitals. And hackers demanded £600,000 from the British Library to prevent publication of stolen files, a demand it refused to pay, in October 2023.

What to do about the problem divides opinion. Some experts say that paying the ransom puts money in the pockets of organized crime, terrorists and sanctioned individuals — with no guarantee that the stolen data will be returned or services resumed. Paying helps to create a business model, encouraging more attacks.

Many organizations targeted do not pay. Most victims interviewed by the National Crime Agency said they did not want to reward their attackers.

But principles come at a cost.

Marks & Spencer the grocery and clothing chain, continues to lose money following a recent ransomware attack that has disrupted service and will cost it an estimated £300 million. And the Legal Aid Agency, which revealed in May that data dating back to 2010 had been stolen, warned anyone who had applied for legal support in criminal cases that they face the risk of being scammed.

But some companies see no other option. LockBit hackers hit Allen & Overy with a ransomware attack in 2023, but later retracted its threat to release the stolen data. Cyber-experts have interpreted this as a sign that A&O paid out to avoid sensitive client information from being released, although the firm never publicly commented.

Against this backdrop, the Home Office said in March that it was consulting on a range of proposals. They include a limited ban on publicly owned bodies and operators of critical national infrastructure making payments, mandatory reporting of all ransomware attacks by companies that meet thresholds and even approval by the government before they make any payment.

But lawyers warn that the proposals are risky. Payments are already widely viewed as the last resort, a drastic step for companies to take only when backup files restoring their operations fail or there is a risk that the stolen data is not encrypted.

James Longster, a partner in the technology and commercial transactions practice at Travers Smith LLP, said that private sector clients, particularly financial services firms, are concerned that putting restrictions on public-sector targets will simply push criminals to intensify their attacks on them.

“There isn’t a magic answer,” Longster said. “People want to do something because it’s a problem. It’s hard to work out exactly what that is.”

There was also doubt among observers about how the proposals would work in practice. When would companies, trying to get to grips with resuming service, be required to notify the government of the attack? How would a ban, if it was extended to the private sector, affect global companies in countries where there was no bar to payment?

The government has already introduced compulsory reporting of cyberattacks in the Cyber Security and Resilience Bill, which is making its way through Parliament. Victims would be required to report an incident only once. But lawyers say a lack of detail means it is unclear how the proposals would sit alongside existing notification requirements, potentially delaying payment during talks with authorities — and prolonging the disruption.

Business leaders fear the proposals might also lead to expensive red tape when they are already under pressure. Companies already face a race against the clock to disclose cyberattacks to their regulator, the Information Commissioner’s Office — and, potentially, to individuals if personal data was stolen.

Longster predicted that the ban on public sector bodies making payments might not make it into legislation if there was resistance during the consultation. But he said that the reporting obligations to the central government “could meaningfully turn the dial” by equipping law enforcement agencies with the best information possible.

Another proposal would require businesses to gain government clearance to ensure that money would not go to sanctioned individuals or terrorists. Christopher Whitehouse of Reynolds Porter Chamberlain LLP said that limited legislation introducing a reporting requirement – but not going as far as an outright ban – would be a good compromise.

“Save for those extreme cases, if there’s something companies could do to survive, but aren’t allowed, it’s going to be a tough sell,” Whitehouse said.

Britain would become one of few Western governments to introduce the ban – perhaps the only one – if it did so. Many countries have pledged not to pay ransomware, but none have actually made it illegal, even if it involves paying a sanctioned entity.

Some U.S. states have passed legislation banning public authorities from paying ransoms, but experts have warned that the results have been mixed.

Hayes of BCL Solicitors also said that the potential ban on government agencies making payments overlooks the fact that hackers, particularly those backed by hostile governments, are often more interested in causing chaos than making money.

Outlawing ransomware payments “risks making hostages of us all,” Hayes said.

“Such sophisticated threat actors are highly unlikely to surrender without a struggle,” Hayes continued. “Far from being deterred, such groups are more likely to fight tenaciously to protect their lucrative business models, with ‘big game’ ransomware groups intentionally targeting the U.K. essential services on which we all rely, both to break the government’s will and serve as a warning to like-minded countries not to follow suit.”

Some lawyers advocate for a more aggressive policy to help ensure that does not happen.

Dominic Holden of Lawrence Stephens said that hackers would look abroad if it was illegal for public and private sector entities to pay out.

Support for small and midsized businesses in the form of tax breaks or subsidized insurance premiums would also mean that the incentives to target the U.K. would vanish, Holden said.

“If the government is going to do this, I don’t think they should do it in half measures,” Holden said. “If you’re going to eradicate the problem, and disincentivize the hackers so they go overseas in jurisdictions where they can be paid, then grasp the nettle and ban all payments.”

Mark Jones, a partner at Paynes Hicks Beach LLP, said there were also concerns that the mandatory reporting requirement could then trigger regulatory scrutiny. The government would have to assure companies that the information would remain confidential if it wants to win support for legislation, Jones said.

“I would also hope to see measures to support those who are victims of ransomware, rather than simply add to the stress of the situation,” Jones added.

For more information on our cryptoassets expertise, please click here.

How to navigate the first 72 hours of a ransomware attack and recover ransoms paid in crypto

Posted on: May 23rd, 2025 by Alanah Lenten

Dominic and Asim’s article was published in Fraud Intelligence, 21 May 2025, and can be found here.

Discovering that you have been the victim of a ransomware attack can be reputationally and financially devastating to an organisation. However, when responding to an attack, the first 72-hours are critical. Quick and decisive action can help preserve evidence, while protecting assets and systems.

Cyber attacks vary in their potency and impact. A ransomware attack which locks down a company’s entire IT system is, of course, different from a more limited attack on a single device – an organisation’s response will therefore vary. However, notifying your insurers and the police, getting internal and external IT support on task immediately, while also notifying company staff should all be considered.

Where data is at risk, notifying the Information Commissioner and other regulators within 72 hours – as well as your customers – can also be necessary.

Should you pay the ransom?

Current guidance from the National Crime Agency is that they do not “encourage endorse nor condone the payment of ransom demands”. This is because there is no guarantee that you will get access to your data or computer, your computer may still be infected, you will be paying a criminal group, and you increase the likelihood that you (and others) may be targeted in the future.

However, in many cases, commercial victims of a ransomware attack can find themselves unable to continue their business operations whilst key systems remain compromised. This is the hacker’s leverage, that, there may come a point where continued business losses are unsustainable and paying a ransom to unlock their systems becomes an expense in mitigation.

Such ransom payments are often demanded in cryptocurrency and their payment can be covered by insurance. It is important that businesses check their policies to see whether this forms part of their cover.

How to prepare?

Given the number of moving parts involved in managing the aftermath after a ransomware event, it can quickly become overwhelming, unless robust and specific plans are already in place. Such ‘incident response plans’ should already be agreed and understood by the company’s leadership and those staff who will need to take action. Running simulations of how a business will cope during a ransomware attack is advisable (e.g. turning to paper processes in the short term and ensuring that all know what their roles are during an attack).

Backing up your systems on a regular basis and training staff  to recognise unusual behaviour or unexpected activity on their devices is critical – for example, phishing emails, unprompted windows opening up for split seconds, or excessive system resources being used when your device does not appear to be doing much. This can suggest that scammers have taken remote control of your device under the pretence of assisting you through services, like AnyDesk.

How to react?

While you are reacting to the consequences of the breach, you may simultaneously have to identify and fix the vulnerability, comply with legal and regulatory requirements, notify your insurers and provide comfort to your staff, customers and suppliers that matters are in hand. During this period, chaos can ensue, and mistakes can be made that could severely hamper any subsequent investigation.

Below are some key points to bear in mind during this initial period:

Preserve the evidence

The preservation of evidence is a key initial task, and leadership should strive to work with professionals to ensure that all system logs are retained. It is advisable to hire in digital forensics or organisations that specialise in dealing with cyberattacks –if you have good cyber insurance, this is something your insurer may provide.

Avoid formatting or performing factory resets at this stage. Evidence preservation is vital, particularly as forensic digital examination of your devices could yield critical information, instrumental in tracing and recovering the stolen assets.

If possible, take a full forensic image of the affected devices and work from backups (provided these have not also been compromised by the attack). You may need to buy fresh devices so that those affected can be preserved as evidence.

Your internal communications team may want to take on PR consultants to assist with crisis comms as the news breaks, if it is an attack with significant reputational implications.

Secure Your Communications

It may be wise to set up new, secure email addresses immediately and avoid logging into any accounts you suspect may have been compromised. You should consider how best to continue internal communications with secure channels being set up to action any critical messaging

It may be necessary to notify your bank and or other service providers of any new email address, or communication preferences, to ensure that no instructions are to be taken from the old email addresses.

In attacks where the victims have been socially engineered, one or more company email addresses or social media accounts may have been compromised. You should access the log-in history which details the IP address and location of all log-in attempts.

If there are any suspicious logins, it is likely that email addresses have been compromised, and your communications may be monitored or used by the scammers to gain further access. This could also impact other accounts, bank accounts and social media profiles.

It is vital that passwords are immediately changed and strengthened across the organisation.

Communicating with the Hackers

When the hackers reach out to demand a ransom payment from you ensure that they are unaware of the steps you are taking internally.

Ransom payment negotiators are available to assist with these negotiations to drive the ransom demanded down. This can also buy an organisation time if the hacker is threatening to publish the compromised data on the internet.

Make sure to collate a detailed record of all communications with the hackers, including requests for payments, emails, phone calls, text messages, social media interactions. If the ransom is paid in crypto, take a note of the transaction details, wallet addresses and transaction hashes etc.

If you have been directed to a webpage during your interactions with the hackers, you should ensure to take screenshots of these pages in case they disappear. Any evidence of what jurisdiction they may be in is also vital.

Accurate records are crucial for any subsequent legal action and investigations.

Recovering the ransom payment

If the ransom is paid in crypto, this could give you and your legal team time to investigate and trace the assets, write to any centralised exchanges who may be in receipt of those assets, and put them on notice of the theft and request that they freeze those accounts pending further legal action. It may also allow time for the necessary court orders to freeze assets to be granted and implemented. These steps, if taken quickly, can result in an organisation (or their insurer) recovering the ransom after it has been paid.

Your legal team will quickly be able to identify suitable independent blockchain tracing specialists who will be tasked with conducting an initial tracing report to follow the movement of your crypto assets and their traceable proceeds. You will need to provide proof that you owned the assets, as well as relevant transaction hashes or addresses as these will form the basis of asserting your proprietary claim to those assets, which is essential in recovering them.

Hackers typically seek to convert stolen crypto assets into cash, often using centralised exchanges as their off-ramp. The first step in any successful crypto asset recovery matter is identifying the exchanges used. Exchanges are subject to a degree of regulatory oversight and compliance mechanisms to satisfy the requirements of typically highly regulated banking entities.

Your legal team can place exchanges on notice that they have received the proceeds of crime and request they freeze the relevant accounts while also requesting disclosure of any onward transfers and withdrawals from that account to trace the stolen assets.

Report to Law Enforcement

The attack should be reported to the police and Action Fraud. Make sure you keep a copy of your report, as well as any crime reference numbers provided.

It is important that you engage with your local police force as much as possible and obtain a direct liaison and contact details. Try not to be discouraged or frustrated if the police cannot offer much help.

Police resources, expertise, and capacity to deal with cyber crime can vary considerably, and officers may lack immediate familiarity with the complexities involved.

Even if the police can’t provide much assistance, a formal report is important, as it creates an official record that supports other legal and recovery actions you may take and can also assist law enforcement in identifying patterns in criminal gangs to help others avoid falling victim.

Engage with Experts

Engaging promptly with specialist IT and legal advisors experienced in breach response is crucial to mitigate the fallout from the attack and limit business interruption.

Cyber experts should be able to quickly identify the areas of your system that have been affected, the extent of the breach and the data under threat, as well as devise a plan for bringing your systems back into operation. It may be possible to decrypt some of the compromised data without paying the ransom, or to restore your systems from backups.

Your legal team should work closely with these experts to ensure that your regulators are notified of the attack and kept abreast of developments. Your legal team may also need to review your company’s commercial agreements, to see if any termination or notification events are triggered as well as deal with any claims that might arise from your suppliers or customers as a result of the attack.

Conclusion

Careful advanced planning and swift and methodical action when an attack occurs can reduce stress, while also significantly limiting the damage a ransomware attack can cause to an organisation in the first 72 hours.

Dominic Holden explores the Home Office consultation on ransomware payments, in Law360

Posted on: April 10th, 2025 by Natasha Cox

Director Dominic Holden examines the recent Home Office consultation on cyber attacks and banning ransom payments by public bodies and critical infrastructure operators, and discusses the potential impact of such reforms on SMEs, in Law360.

Dominic’s article was published in Law360, 9 April 2025. 

On 14 January 2025, the Home Office opened a consultation on proposals to ban ransom payments by publicly owned bodies and operators of critical national infrastructure that have or may have suffered a ransomware attack[1]. The consultation runs until 8 April 2025, and the government seeks input from potential compliance stakeholders, industry, research, and the public.

The overall aim is to tackle the multi-billion-pound cybercrime industry, and the specific objective is potentially to make vital infrastructure like hospitals and the National Grid an unattractive prospect for hackers.

Yet, these proposals are not without their flaws.

The below article examines these plans, explores the development of the ransomware industry, and discusses how such reforms could impact UK businesses.

What is ransomware?

Ransomware is a type of malware that attempts to unlawfully encrypt files on a host computer system. Once infected, critical IT networks can become crippled and inoperable. The hacker then promises to provide the key to unlock the files in return for money, typically in cryptocurrency.

These attacks can be particularly harmful due to the associated financial losses, theft of potentially sensitive data and intellectual property, as well as significant business/service disruption and reputational damage.

Growing threats

One of the key triggers for this consultation exercise appears to have been the Synovis ransomware attack in June last year, which caused severe damage to the NHS with the postponement of over 10,000 outpatient appointments and around 1,700 elective procedures in London.[2]

Ransomware attacks are a growing threat. Over a period of twelve months which ended in August 2024, the UK’s National Cyber Security Centre’s (NCSC) became involved in managing 430 cyber incidents including 13 separate ransomware incidents which were “deemed to be nationally significant and posed serious harm to essential services or the wider economy”. According to the National Crime Agency, the number of UK victims appearing on ransomware data leak sites has also doubled since 2022[3].

As a result, ransomware is viewed by the National Crime Agency as one of the most serious organised cybercrime threats to the UK’s national security.

These attacks have now become highly profitable. In 2024, one study revealed that UK respondents paid an average of £870,000 with two organisations admitting to paying £10m-£20m in ransoms[4]. According to Sophos (which specialises in endpoint security), the median global ransomware payment made by victims over the past couple of years has also increased by 400% up from $400,000 to $2 million. Meanwhile the recovery costs to victims of a ransomware attack have also increased from $1.82 million to $2.73 million – a rise of around 50%[5].

Whether the ransom is paid or not, regulators and customers will very likely need to be notified of the attack under existing legislation, leading to the threat of an investigation, fines, claims and significant damage to an organisation’s reputation as their customers and suppliers learn of the attack.

The question of how to meet this threat faces governments across the globe.

Exploring the Home Office proposals

Banning ransomware payments

The idea of banning ransomware payment by certain organisations could be an effective deterrent to reduce ransomware attacks, with hackers looking elsewhere – hopefully overseas – for easier pickings that are permitted to pay out. The policy would follow the long-standing principle of the UK Government not to pay ransoms for its citizens taken hostage by terrorists.

However, a ban could be damaging to businesses. Paying a ransom can often be the fastest and most cost-effective way for an organisation to recover from these attacks.

The alternative to non-payment is trying to reset and restore an organisation’s system from backup (assuming regular backups exist) and a potentially catastrophic data loss. The business disruption that follows can be ruinous, both financially and reputationally.

According to Veeam’s 2024 Ransomware Trends Report, 96% of security professionals surveyed said that their backup repositories had been targeted, while a mere 15% were able to recover their data without paying a ransom[6].

That said, paying a ransom can be a risky business. The same report found that 27% of those organisations who had paid the ransom, were still unable to recover their data. In other words, while paying up might seem to offer a quick solution, there is no guarantee that it will resolve the problem.

‘Double dipping’ poses a further risk for victims. In such cases, a ransom is paid only for a further attack to follow a few days later. Or, even worse, an additional ransom is demanded to avoid the hacker publishing the compromised data or selling the information to the highest bidder.

This poses the question of whether the Government’s proposed limited ban goes far enough.

The focus on publicly owned bodies and operators of critical national infrastructure is a good start, given the obvious disruption that stems from the paralysis of these organisations. However, the policy risks hackers moving their attention away from these organisations, focusing their efforts on private companies who would still be permitted to pay a ransom. This could be particularly devastating for SMEs – which make up around 99.9% of the UK economy, but who lack the resources to mount an effective defence against, and response to, a ransomware attack[7].

A limited ban is not the only measure under consideration.

Reporting of all ransomware attacks

The mandatory reporting of all ransomware attacks by companies that meet a certain threshold is also proposed. This proposal is similar to that which has already been proposed in the Cyber Security and Resilience Bill, which is due to be put to Parliament this year.

The purpose of the reporting is to assist law enforcement agencies by giving them a better understanding of the scale and nature of attacks, in order to identify patterns and improve responses to such attacks, and stop them from spreading.

This would appear to be an obvious ‘win’. The more up-to-date information available, the better the future decision-making on how to combat the threat.

The question which then arises, however, is whether the Government will properly resource the authorities who will receive this data, to allow them to take effective steps to respond.

Decision to pay a ransom

Finally, the Home Office proposes that the decision to pay a ransom could be left to the authorities.

The idea of the authorities needing to approve (or not) the payment of ransoms, is likely to be unworkable. It assumes a level of dynamism and responsiveness from Government authorities that is unlikely to be achieved in practice. Taking this decision out of the hands of those who know the organisation and the data at risk best, would seem to be ill-advised.

It also remains to be seen how the Government proposes to enforce legislation against the payment of ransoms. Criminalising the victims of a ransomware attack for making a ransom payment would seem to be unduly punitive given that these organisations are the innocent parties in this situation.

The Government may consider substantial fines to be a more appropriate sanction in line with current legislation around data, such as the UK General Data Protection Regulation/Data Protection Act 2018.

Conclusion

It is clear that the time has come for decisive action to be taken in the battle against ransomware attacks, and the Home Office’s initial focus on critical infrastructure and the public sector is a welcome first step.

However, the consultation is light on detail as to the how the Government intends to enforce compliance, and around the resources that will be available to ensure the reporting of ransomware attacks informs an effective strategy to prevent these attacks from occurring and spreading.

If a limited ban on ransom payments is introduced, it is incumbent on the Government to ensure that support will be provided to soften the increased business interruption that will invariably follow in the private sector.

While these proposals rumble throughout Westminster, there are still steps businesses can take to improve their chances of avoiding an attack, or ensure they are able effectively to deal with one when it comes.

Training staff to identify potential ransomware and other cyber-attacks along with regular system checks, backups and patching, can be essential in mitigating against these threats. Cyber insurance can also provide valuable support and resources to deal with the consequences of an attack, along with a robust incident response plan which deals with how the business can operate in the face of a ransomware event.

For more information on our services relating to technology disputes, please see here

[1]                 https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime

[2]                  https://www.england.nhs.uk/london/synnovis-ransomware-cyber-attack/latest-media-statement-on-synnovis-cyber-attack/#:~:text=As%20a%20result%20of%20the,St%20Thomas’%20NHS%20Foundation%20Trust.

[3]                  https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime#:~:text=The%20NCSC%20managed%20430%20cyber,services%20or%20the%20wider%20economy.

[4]                 Over Half of Breached UK Firms Pay Ransom – Infosecurity Magazine

[5]                  https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2024-wp.pdf

[6]                  https://www.primesys.co.uk/wp-content/uploads/2024/10/Veeam-2024-ransomware-trends-report.pdf

[7]                  https://www.gov.uk/government/statistics/business-population-estimates-2023/business-population-estimates-for-the-uk-and-regions-2023-statistical-release