Ransomware-hit law firm gets court order asking crooks not to publish the data they stole

A barristers’ chambers hit by a ransomware attack has responded by getting a court order demanding the criminals do not share stolen data.

4 New Square chambers, which counts IT dispute experts among its ranks, obtained a privacy injunction from the High Court at the end of June against “person or persons unknown” who were “blackmailing” the firm.

Those persons were said to be “responsible for engaging in a cyber-attack on [the barristers] on or about 12 June 2021 and/or who is threatening to release the information thereby obtained.”

Trade mag The Lawyer reported the ransomware attack but the obtaining of an injunction against people outside the jurisdiction of the English courts seems strange.

Handed down by Mrs Justice Steyn, the injunction orders the ransomware criminals not to “use, publish or communicate or disclose to any other person” any of the (unspecified) data they stole in June. No data from 4 New Square appears to have been published on the known ransomware gangs’ Tor-hosted leak blogs, though the injunction return date is this Friday (9 July).

Ransomware, as Reg readers know, is malicious software that encrypts targeted networks before its operators send a demand for money in exchange for the decryption utility. So-called double-extortion ransomware, currently the dominant model, demands a second ransom in return for not publishing or sharing data stolen during the initial attack.

Plenty of public domain information points to the criminals operating ransomware scams being based in places such as Russia, North Korea, Iran, and so on – in short, countries that don’t tend to enforce English court orders.

We have asked 4 New Square’s CEO about the firm’s reasoning for getting the order and will update this article if we hear back from her. It seems odd to get a piece of paper asking foreign criminals not to “publish data stolen from us” when that is how they do their business.

It is very difficult to see what effect, if any, a civil non-disclosure order will have on a ransomware gang potentially based in a hostile foreign country – especially when such criminals attack multiple countries’ critical national infrastructure with apparent impunity.

Recent examples include the US Colonial Pipeline hack, where the Russian-speaking Darkside ransomware gang triggered a full-scale US law enforcement and diplomatic response and yet are still walking free; the WizardSpider crew who deployed Conti ransomware into Ireland’s Health Service Executive, causing hospitals to grind to a halt while staff fumbled to set up paper-based fallback processes; and US Department of Defence nuclear contractor Sol Oriens, targeted by the REvil ransomware crew.

So far the nearest anyone has got to arresting a ransomware criminal are Ukraine’s cyber-cops who with the help of South Korean officials and Interpol, busted and charged half a dozen suspects in June who they alleged were linked to the Clop gang’s money-laundering efforts.

While we would love to report that a civil court in London has achieved what criminal law enforcement agencies from the entire western world couldn’t, we won’t be holding our breath. ®

READ MORE HERE