How to navigate the first 72 hours of a ransomware attack and recover ransoms paid in crypto

Posted on: May 23rd, 2025 by Alanah Lenten

Dominic and Asim’s article was published in Fraud Intelligence, 21 May 2025, and can be found here.

Discovering that you have been the victim of a ransomware attack can be reputationally and financially devastating to an organisation. However, when responding to an attack, the first 72-hours are critical. Quick and decisive action can help preserve evidence, while protecting assets and systems.

Cyber attacks vary in their potency and impact. A ransomware attack which locks down a company’s entire IT system is, of course, different from a more limited attack on a single device – an organisation’s response will therefore vary. However, notifying your insurers and the police, getting internal and external IT support on task immediately, while also notifying company staff should all be considered.

Where data is at risk, notifying the Information Commissioner and other regulators within 72 hours – as well as your customers – can also be necessary.

Should you pay the ransom?

Current guidance from the National Crime Agency is that they do not “encourage endorse nor condone the payment of ransom demands”. This is because there is no guarantee that you will get access to your data or computer, your computer may still be infected, you will be paying a criminal group, and you increase the likelihood that you (and others) may be targeted in the future.

However, in many cases, commercial victims of a ransomware attack can find themselves unable to continue their business operations whilst key systems remain compromised. This is the hacker’s leverage, that, there may come a point where continued business losses are unsustainable and paying a ransom to unlock their systems becomes an expense in mitigation.

Such ransom payments are often demanded in cryptocurrency and their payment can be covered by insurance. It is important that businesses check their policies to see whether this forms part of their cover.

How to prepare?

Given the number of moving parts involved in managing the aftermath after a ransomware event, it can quickly become overwhelming, unless robust and specific plans are already in place. Such ‘incident response plans’ should already be agreed and understood by the company’s leadership and those staff who will need to take action. Running simulations of how a business will cope during a ransomware attack is advisable (e.g. turning to paper processes in the short term and ensuring that all know what their roles are during an attack).

Backing up your systems on a regular basis and training staff to recognise unusual behaviour or unexpected activity on their devices is critical – for example, phishing emails, unprompted windows opening up for split seconds, or excessive system resources being used when your device does not appear to be doing much. This can suggest that scammers have taken remote control of your device under the pretence of assisting you through services, like AnyDesk.

How to react?

While you are reacting to the consequences of the breach, you may simultaneously have to identify and fix the vulnerability, comply with legal and regulatory requirements, notify your insurers and provide comfort to your staff, customers and suppliers that matters are in hand. During this period, chaos can ensue, and mistakes can be made that could severely hamper any subsequent investigation.

Below are some key points to bear in mind during this initial period:

Preserve the evidence

The preservation of evidence is a key initial task, and leadership should strive to work with professionals to ensure that all system logs are retained. It is advisable to hire in digital forensics or organisations that specialise in dealing with cyberattacks –if you have good cyber insurance, this is something your insurer may provide.

Avoid formatting or performing factory resets at this stage. Evidence preservation is vital, particularly as forensic digital examination of your devices could yield critical information, instrumental in tracing and recovering the stolen assets.

If possible, take a full forensic image of the affected devices and work from backups (provided these have not also been compromised by the attack). You may need to buy fresh devices so that those affected can be preserved as evidence.

Your internal communications team may want to take on PR consultants to assist with crisis comms as the news breaks, if it is an attack with significant reputational implications.

Secure Your Communications

It may be wise to set up new, secure email addresses immediately and avoid logging into any accounts you suspect may have been compromised. You should consider how best to continue internal communications with secure channels being set up to action any critical messaging

It may be necessary to notify your bank and or other service providers of any new email address, or communication preferences, to ensure that no instructions are to be taken from the old email addresses.

In attacks where the victims have been socially engineered, one or more company email addresses or social media accounts may have been compromised. You should access the log-in history which details the IP address and location of all log-in attempts.

If there are any suspicious logins, it is likely that email addresses have been compromised, and your communications may be monitored or used by the scammers to gain further access. This could also impact other accounts, bank accounts and social media profiles.

It is vital that passwords are immediately changed and strengthened across the organisation.

Communicating with the Hackers

When the hackers reach out to demand a ransom payment from you ensure that they are unaware of the steps you are taking internally.

Ransom payment negotiators are available to assist with these negotiations to drive the ransom demanded down. This can also buy an organisation time if the hacker is threatening to publish the compromised data on the internet.

Make sure to collate a detailed record of all communications with the hackers, including requests for payments, emails, phone calls, text messages, social media interactions. If the ransom is paid in crypto, take a note of the transaction details, wallet addresses and transaction hashes etc.

If you have been directed to a webpage during your interactions with the hackers, you should ensure to take screenshots of these pages in case they disappear. Any evidence of what jurisdiction they may be in is also vital.

Accurate records are crucial for any subsequent legal action and investigations.

Recovering the ransom payment

If the ransom is paid in crypto, this could give you and your legal team time to investigate and trace the assets, write to any centralised exchanges who may be in receipt of those assets, and put them on notice of the theft and request that they freeze those accounts pending further legal action. It may also allow time for the necessary court orders to freeze assets to be granted and implemented. These steps, if taken quickly, can result in an organisation (or their insurer) recovering the ransom after it has been paid.

Your legal team will quickly be able to identify suitable independent blockchain tracing specialists who will be tasked with conducting an initial tracing report to follow the movement of your crypto assets and their traceable proceeds. You will need to provide proof that you owned the assets, as well as relevant transaction hashes or addresses as these will form the basis of asserting your proprietary claim to those assets, which is essential in recovering them.

Hackers typically seek to convert stolen crypto assets into cash, often using centralised exchanges as their off-ramp. The first step in any successful crypto asset recovery matter is identifying the exchanges used. Exchanges are subject to a degree of regulatory oversight and compliance mechanisms to satisfy the requirements of typically highly regulated banking entities.

Your legal team can place exchanges on notice that they have received the proceeds of crime and request they freeze the relevant accounts while also requesting disclosure of any onward transfers and withdrawals from that account to trace the stolen assets.

Report to Law Enforcement

The attack should be reported to the police and Action Fraud. Make sure you keep a copy of your report, as well as any crime reference numbers provided.

It is important that you engage with your local police force as much as possible and obtain a direct liaison and contact details. Try not to be discouraged or frustrated if the police cannot offer much help.

Police resources, expertise, and capacity to deal with cyber crime can vary considerably, and officers may lack immediate familiarity with the complexities involved.

Even if the police can’t provide much assistance, a formal report is important, as it creates an official record that supports other legal and recovery actions you may take and can also assist law enforcement in identifying patterns in criminal gangs to help others avoid falling victim.

Engage with Experts

Engaging promptly with specialist IT and legal advisors experienced in breach response is crucial to mitigate the fallout from the attack and limit business interruption.

Cyber experts should be able to quickly identify the areas of your system that have been affected, the extent of the breach and the data under threat, as well as devise a plan for bringing your systems back into operation. It may be possible to decrypt some of the compromised data without paying the ransom, or to restore your systems from backups.

Your legal team should work closely with these experts to ensure that your regulators are notified of the attack and kept abreast of developments. Your legal team may also need to review your company’s commercial agreements, to see if any termination or notification events are triggered as well as deal with any claims that might arise from your suppliers or customers as a result of the attack.

Conclusion

Careful advanced planning and swift and methodical action when an attack occurs can reduce stress, while also significantly limiting the damage a ransomware attack can cause to an organisation in the first 72 hours.

Lawrence Stephens successfully acts for Respondent parent in reported case of M v F

Posted on: May 15th, 2025 by Alanah Lenten

Lawrence Stephens’ Family team, led by Co-Head of Family Eleanor Wood, recently acted for the Respondent parent in the reported Family Court case of M v F [2025] EWFC 114 (B).

A fact-finding hearing as part of child arrangement proceedings, the four-day hearing concerned allegations of long-standing abuse and controlling behaviour made my Lawrence Stephens’ client (Parent M) against their former partner. These included allegations of physical abuse (one of which lead to police involvement), emotional abuse, coercive and controlling behaviour and sexual abuse.

The Applicant (Parent F) contested these allegations, however the judge noted that their evidence was “remarkably inconsistent and lacking in credibility.” The Applicant’s argument that the allegations were financially motivated and intended to block their contact with their child was also rejected by the court.

Concluding her judgment, HHJ Owens upheld all allegations of abuse behaviour made by the Respondent parent, with the case proceeding to determine what arrangements are in the best interest of the child.

The full judgment can be read here.

Lawrence Stephens strengthens Residential Real Estate practice with senior hire

Posted on: May 12th, 2025 by Natasha Cox

Lawrence Stephens is delighted to announce the appointment of Alexa Kordowicz as a Director in the firm’s growing Residential Real Estate team.

Alexa joins from Child & Child, where she developed a leading reputation for advising on high-value residential property transactions. Alexa has built a wide-ranging practice acting for individuals, companies and both UK and international private banks. She brings to the firm a wealth of experience in managing complex and high-net-worth property matters, with a particular focus on delivering a seamless client experience through strong relationships and a commercially minded approach.

Alexa looks forward to working closely with teams such as Private Wealth to coordinate multi-faceted transactions involving extensive property portfolios.

Speaking on her appointment, Alexa commented: “I’m thrilled to be joining the highly regarded team at Lawrence Stephens. The firm’s client-first ethos and collaborative culture are an excellent fit for my approach to legal practice. I look forward to continuing to support clients in the UK and internationally on their residential property matters, and to growing the practice together with the wider team.”

Goli-Michelle Banan, Head of Residential Real Estate, added: “Alexa is an exceptional addition to our team. Her experience in high-value residential transactions, coupled with her commitment to client service, aligns perfectly with our focus on delivering a tailored and positive experience. We’re excited to welcome her to Lawrence Stephens as we continue to expand the scope and strength of our Residential Real Estate offering.”

Details of our Residential Real Estate services can be found here

Lawrence Stephens advises Fidelius on its investment in Vobis

Posted on: May 9th, 2025 by Natasha Cox

Lawrence Stephens has advised Top 100 financial planning firm Fidelius on its acquisition of a non-controlling stake in Vobis, a London and Yorkshire-based IFA.

Founded in 2013, Vobis, which manages over £140m in client assets, specialises in financial planning for high-net-worth individuals and operates a joint venture with a top 60 accountancy practice in central London. The firm also has a regional office in Leeds.

The deal marks the first investment by Fidelius since Swedish wealth manager Söderberg & Partners took a minority stake in the business at the start of 2024.

The Lawrence Stephens’ team was led by Corporate and Commercial Director Jeff Rubenstein, supported by Associate Harshita Samani, Solicitors Lucy Cadley and Avni Patel, and Trainee Electra Kallidou.

Jeff Rubenstein commented: “While this was our first transaction for Fidelius, this assignment was the latest in a series of transactions we have advised on in the rapidly consolidating Financial Services industry. We very much enjoyed working with the Fidelius team, their energy and ambition very much reflects our own ethos and we look forward to working with them in the future”.

Richard Armstrong, Head of Governance, Risk and Compliance at Fidelius responded: “We are grateful for the advice and support provided by the team at Lawrence Stephens. The team were proactive and responsive, and their can-do approach helped move this important transaction along. Our ambition is to be a top 20 IFA and more acquisitions are likely.”

Find out more about our Corporate and Commercial services here

Matt Green discusses crypto assets disputes and recovery with the Government of Gibraltar

Posted on: May 8th, 2025 by Natasha Cox

Director and Head of Blockchain Matt Green presented to the Ministry of Justice, Trade and Industry of the Government of Gibraltar, outlining the evolving legal status of digital assets alongside Scott Pounder, Founder and CEO of Prometheus Insights.

Looking to the current legal landscape and potential future developments, Matt and Scott explained why recognising digital assets as property is essential, considering:

The definition of digital assets
The canon of common law, including Matt’s own cases, and how asset recovery cases created precedents globally
The role of legal definitions of property, now ratified in the Court of Appeal, from case law through to the Property (Digital Assets etc) Bill
Considering a draft statutory instrument designed to bring dealing with crypto assets into the remit of regulated activity under FSMA 2000.

The Government of Gibraltar’s official press release can be found here.

For more information on our digital assets expertise, please click here.

Lawrence Stephens advises Arc’teryx on Manchester store

Posted on: April 25th, 2025 by Natasha Cox

Lawrence Stephens Director Nickhil Mandora and Solicitor Sophie Levitt have advised Arc’teryx on their first UK store outside of London, located at New Cathedral Street, Manchester. The new store is Arc’teryx’s first foray into the UK retail market outside of London and represents a significant vote of confidence for the North West.

Arc’teryx, based in North Vancouver, British Columbia, is a Canadian company specializing in technical outdoor apparel and equipment for mountaineering and alpine sports.

The new store, set to open this summer, will be the brand’s fourth UK location, joining its other retail sites in Covent Garden, Piccadilly, and Battersea Power Station.

Nickhil Mandora has acted on the leases of each of these sites and said “We are delighted to have acted for Arc’teryx on their newest store located on New Cathedral Street, Manchester, which will no doubt have been with met excitement by fashion-conscious Mancunians. Arc’teryx are a brand that are at the top of their game, having managed to effortlessly tap into the zeitgeist, and we look forward to extending our relationship with them.”

For more information on our services and expertise in the commercial real estate sector, please click here.

Matt Green co-signs letter to UK government promoting innovation in the digital asset sector

Posted on: April 10th, 2025 by Natasha Cox

Director and Head of Blockchain and Digital Assets, Matt Green, recently co-signed a letter to the UK government alongside a coalition of leading UK and global trade bodies in the crypto digital assets sector, on behalf of techUK.

Addressed to Varun Chandra, the Prime Minister’s Special Adviser on Business & Investment, the letter cites recent geo-political events as key reasons as to why the UK should continue to advance its digital asset and blockchain policy to ensure that it becomes a premier jurisdiction for crypto investment and innovation.

Matt and his fellow signatories put forward a number of practical recommendations to the government, including the following:

Appointing a ‘blockchain’ special envoy to drive policy alignment and innovation
Developing a Government Action Plan for digital assets and blockchain technology
Recognising the synergy between blockchain, quantum computing, and AI
Establishing a high-level forum for industry-government-regulator engagement

Click here to read their letter in full.

This news was covered by The Times, CoinTelegraph, Binance, Digit News, Finextra, Crypto News, Bloomingbit, Tron Weekly, FX Street, Trading View and Block Weeks.

For more information on our Blockchain and Digital Assets services, click here

Corporate and Commercial Spring Newsletter

Posted on: April 9th, 2025 by Alanah Lenten

Read our Spring Newsletter here

Letter from the Editor Charlotte Hamilton

It has been a busy first quarter of 2025 in the corporate, commercial and employment sectors.

In this edition of our Newsletter, I have summarised the report issued by the Investment Security Unit of the Government (ISU) on the effectiveness of the National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021 (NARs). For businesses in the 17 sectors considered sensitive, the NARs dictate whether a notification must be made to the ISU for any proposed acquisition having considerable impact on the timing of an acquisition.

Becci Collins, Solicitor in our Employment team, has summarised the new right introduced by the Statutory Neonatal Care Pay (General) Regulations 2025 for parents to take neo-natal care leave, to receive statutory neo natal care pay and what steps employers should be taking now.

Ewan Ooi, trainee in our Banking team and Samantha Aldridge, paralegal in our Employment team discuss the importance of careful drafting in legally binding agreements and how it can protect businesses.

They summarise two cases highlighting how enforceability depends on the use of clear and precise wording and why legal advice is needed when drafting the terms of commercial agreements and employment contracts.

Please see the key dates section for upcoming corporate, commercial and employment law updates and as always, please be in touch with any queries.

We will be discontinuing this newsletter after this edition. It will be replaced by our brand new newsletter: ‘The Fineprint’.

The Fineprint

‘The Fineprint’ is designed for founders, entrepreneurs, and owner-managed businesses who are passionate about growing their ventures and staying informed about the latest industry trends and legal updates.

If you’re a business owner, startup founder, or an entrepreneur looking to gain insights, practical advice, and inspiration, this newsletter is for you.

For more information please see here, You can opt out at any time.

Lawrence Stephens to roll out newsletter for owner-managed businesses

Posted on: April 7th, 2025 by Alanah Lenten

Welcome to The Fineprint*

Our quarterly newsletter that puts owner-managed businesses at the heart of our musings.

Who should read ‘The Fineprint’?

The Fineprint is designed for founders, entrepreneurs, and owner-managed businesses who are passionate about growing their ventures and staying informed about the latest industry trends and legal updates. If you’re a business owner, startup founder, or an entrepreneur looking to gain insights, practical advice, and inspiration, this newsletter is for you. Whether you’re just starting out or looking to scale your business, The Fineprint offers valuable content tailored to your needs.

What You Can Expect

Owners’ Stories: Get inspired by the journeys of successful entrepreneurs and learn from their experiences.
Legal Advice: Stay informed about the latest legal developments and how they impact your business.
Business Health Guides: Practical tips and checklists to ensure your business is on the right track.
Case Law Updates: Understand the implications of recent case laws on your business operations.
And Everything In Between: From industry insights to expert opinions, we cover all the essential topics you need to know as a business owner and entrepreneur.
The first edition of this newsletter can be expected in July 2025.

To receive this newsletter, sign-up below.

Sign-up here

If you need legal advice, have a story to share, insights to offer, or questions to ask, we’d love to hear from you. Please contact Alenten@lawstep.co.uk for any queries relating to this newsletter.

Lawrence Stephens appoints Head of Financial Institutions and Head of Real Estate Finance

Posted on: April 4th, 2025 by Natasha Cox

Lawrence Stephens is delighted to announce the appointment of Senior Director Greg Palos as Head of the firm’s Financial Institutions sector.

Greg has been at Lawrence Stephens for over 20 years, since merging his own firm in 2004. During this time, he has been responsible for establishing and building the Real Estate Finance and Banking teams at the firm which now includes 12 Directors and 46 professional staff in total.

With this appointment, Greg’s wider role will include ensuring Lawrence Stephens continues to meet the needs of its existing Financial Institution sector clients, build and widen these relationships, and explore new sector opportunities for the firm, both in the UK and internationally.

This important appointment reflects Lawrence Stephens’ twin-engine strategy of focusing on the Financial Institutions and Owner Managed Business sectors which have driven the firm’s strong growth over the last five years.

Lawrence Stephens is also pleased to announce the appointment of Ann Ebberson as Head of the Real Estate Finance department.

Ann is currently a Director in the team, having joined from City firm Rosling King in 2024. She is a well-known industry practitioner, recognised in the legal directories and brings to the role a wealth of sector knowledge and experience.

Acting for a range of banks, lending institutions and fixed charge receivers, her experience spans development finance, property acquisitions and sales, residential landlord and tenant issues, title rectifications and working with litigation colleagues on complex disputes which involve real estate and finance.

Managing Director Steven Bernstein commented: “Greg’s appointment to this wider sector-focused role confirms our commitment to our strategy of sticking to what we are good at and what we are well known for. Greg’s deep knowledge of the sector and the firm’s capabilities presents us with an opportunity to build on already strong foundations and take us to the next level of growth for the firm.”

“I’m delighted that Ann has taken on the role of Head of the Real Estate Finance department. She has already proven to be a strong and capable leader and I look forward to seeing her consolidate our position as a real force in the Real Estate Finance market.”

Lawrence Stephens announces four Director promotions

Posted on: April 1st, 2025 by Natasha Cox

Leading full-service law firm, Lawrence Stephens, is pleased to announce the promotion of Asim Arshad, Anna Christou, Sarah Gallagher and Ausra Triantafyllidou to Director, effective from 1 April 2025.

These promotions follow a year of continuing growth for Lawrence Stephens in response to increasing client demand. Director numbers have increased from 28 to 45 and this 60% increase also includes lateral hires in key areas of growth as well as a team of eight Directors recently recruited from Memery Crystal.

Asim Arshad becomes a Director in the Disputes Resolution team, specialising in commercial litigation. In particular, Asim has extensive experience handling disputes involving crypto assets, including acting for individuals seeking to recover lost or stolen crypto assets. In addition to contentious matters, Asim’s work has included advising on cryptoasset regulation and compliance, token issuance, NFT projects, and acting for one of the industry’s leading mining platforms and token issuing entities
Anna Christou becomes a Director in the Real Estate Finance team. She joined Lawrence Stephens as a trainee solicitor in 2011. She currently acts for leading UK buy-to-let lenders, bridging lenders, challenger banks and building societies, dealing with both regulated and unregulated loans on commercial and residential property portfolios.
Sarah Gallagher becomes a Director in the Residential Real Estate team. She heads up Lawrence Stephens’ team of specialists in the new build sector. Her primary client base is formed of purchasers of both leasehold and freehold new build properties, inside and outside of the Greater London area and developers selling plots at a variety of developments. Whilst Sarah’s specialism is largely new build work, she also acts for those selling and purchasing residential properties of all varieties, including shared ownership, HNW and UHNW.
Ausra Triantafyllidou also becomes a Director in the Real Estate Finance team. She acts for a number of long-standing investors with large commercial, residential and mixed-use portfolios. Her primary focus is on secured lending transactions including investment and development finance matters. She advises clients on landlord and tenant matters including acquisitions, disposals, lettings, transfers of portfolios to corporate structures and finance transactions.

Steven Bernstein, Managing Director at Lawrence Stephens, commented: “With these four Director promotions, we are proud to be recognising growth from within our own people. We continue to demonstrate Lawrence Stephens’ growth in traditional sectors and expansion into emerging ones. Asim, Anna, Sarah and Ausra’s specialist expertise reflect the full-service approach we take at Lawrence Stephens, and how we are able to deliver the best outcomes for our clients.”

Lawrence Stephens Directors named in Spears’ Property Indices 2025

Posted on: March 20th, 2025 by Natasha Cox

Whether handling commercial properties, mixed-use developments or the most exclusive super-prime residences, the very best property lawyers are trusted by HNW clients to provide expert guidance throughout the often lengthy, intricate, and high-stakes process of buying, building, and selling real estate.

We are delighted to announce that Stephen Messias, Director in our Commercial Real Estate team, and Goli-Michelle Banan, Head of Residential Real Estate, have been named top property lawyers in Spears’ Property Indices 2025.

“The advisers selected for the Spear’s Property Lawyers Index 2025 demonstrate not only an extraordinary depth of knowledge but also an ability to navigate the evolving landscape of property law with skill and precision.”

To read the full list, click here

Expertise

Services

Sectors

International

News

News & Insights

About

Our Story

Communities