Insurer pays ransomware demand, freezes account to reclaim later

In a legal first, a cyber insurer gets a UK court to freeze a bitcoin wallet associated with a ransomware payment.

frozen bitcoin circuits
KTSimage / Polygraphus / Getty Images

Ransomware continues to be a common attack method of cybercriminals across the world. According to a Malwarebytes report, the number of ransomware detections in business environments rose by 365% between Q2 2018 and Q2 2019. While not all infections see companies pay to get their data back, enough do so to make it worth the attacker’s time.

However, a UK insurance firm recently pulled a bait and switch on cybercriminals by paying a ransomware demand and subsequently getting the UK court to freeze a bitcoin wallet they had tracked their payment to. While this sets some new precedents in the UK – and perhaps a new option for insurers around recovering assets – does it reduce the attractiveness of ransomware to cybercriminals?

Insurers pay ransom, track and freeze the account

According to public documents from the case, AA v Persons Unknown & Ors, Re Bitcoin [2019], in October 2019 a Canadian insurance company was infected with a ransomware malware known as BitPaymer – often associated with targeted attacks and high-ransom demands – resulting in the company’s computer systems being encrypted. The initial ransom demand was $1.2 million to be paid in bitcoins, though this figure was later negotiated down to $950,000.

The Canadian company’s insurance provider, located in the UK, agreed to pay this figure. After paying the fee to the account as instructed, the attacker provided the decryption tool. The company then decrypted its 20 servers and 1,000 desktop computers, which were available five and ten days later, respectively.

So far, so normal. However, upon paying the ransom, the UK insurer employed Chainalysis, Inc, a blockchain investigations firm, to track the payment. Ninety-six bitcoins (worth approximately $860,000 at the time) from the tracked account were sent to a bitcoin wallet address linked to the Bitfinex public cryptocurrency exchange.

The insurers then applied to the UK courts to have the wallet in question frozen by Bitfinix. In January 2020, the court granted a proprietary injunction requiring Bitfinex to freeze the wallet and prevent any transactions to occur regarding that account. The company affected by the ransomware has their files back and the insurance company has an opportunity to recover the ransom payment from the frozen wallet. The court order also required Bitfinex to provide the know-your-customer (KYC) anti-money laundering information for the account associated with the address.

“Bitfinex has robust systems in place to allow it to assist law enforcement authorities and litigants in cases such as this,” the company said in a statement. “In this case we have assisted the claimant to trace the stolen bitcoin and we understand the focus of the claimant’s attention is no longer on the Bitfinex platform. It now appears Bitfinex is an entirely innocent party mixed up in this wrongdoing.”

A new option for cyber insurance providers?

Susan Hopcraft, partner at the dispute resolution group Wright Hassall, says this move was important in establishing new norms around Bitcoin and criminality in the UK. “This is an important decision in establishing that the UK is not a safe haven for cyber-fraudsters and the strongest message to send that anyone trying to retain ill-gotten gains in England will face difficulties. The insurance company is keeping its identity secret, yet it should be applauded for responding to the claim first and then by snaring the ransom back.”

Anyone who wants to stop monies moving out of an account can apply for a freezing injunction if they can show evidence the account was involved in criminal activity. The UK Jurisdiction Taskforce recently clarified that crypto-assets can be judged as property in UK law, which likely means as well as being frozen the UK court will likely be able to judge that they can be reclaimed.

“In this case the insurance company had used investigators to trace the bitcoins and the outcome of that search was the basis for the application to restrain the bitcoins,” says Hopcraft. “It also established that bitcoins are property capable of being injuncted and sets a good precedent to freeze bitcoin wallets that contain proceeds of crime.”

As with any efforts to recover stolen assets, speed is imperative. While Hopcraft says entitlement to the cryptocurrency is for a later date, the essential move was to secure the cryptocurrency assets before they were moved beyond the reach of this injunction. The court case was heard in private, which is unusual, but helped ensure the bitcoins were not moved before the injunction took effect and to prevent further targeting by criminals. 

“The insurance company did well to get to court before the fraudsters realised the cryptocurrency had been located,” says Hopcraft. “The long-term effect might be that attackers prefer to divert their ransoms through other jurisdictions, and it is important that courts in those other jurisdictions cooperate to allow freezing injunctions when assets are located.”

A costly mistake for the cybercriminal

The freezing of extorted funds was only made possible because investigators were able to trace the cryptocurrencies movements to a legitimate exchange with public business information. Tyler Moffitt, security analyst at Webroot, says that this was likely an isolated mistake as criminals normally only use exchanges like Bitfinex at the last minute to quickly cash out cryptocurrencies into “fiat” currencies such as dollars rather than hold funds there for any length of time.

“This can be summed up as a mistake by the criminal…and a (lucky) win by the insurance company for swiftly identifying the exchange address with the help of Chainalysis,” he says. “This was just very foolish on the criminal’s part to store such a large amount of bitcoin on an exchange that deals with fiat and are in complete control of the private keys.”

Moffitt adds that this kind of news will probably not make criminals think twice about targeting UK companies or companies with UK insurance firms. “If scenarios like this one start to become a trend, then we will likely see an increase in criminals transferring their [cryptocurrencies] to exchanges that don't trade fiat and therefore have no rules or compliance. From there, they will trade their bitcoin immediately into a privacy coin like Monero (XMR) or Zcash (ZEC) that have no public ledger and prevent firms like Chainalysis from finding out where the criminals send their crypto when they do ultimately cash out.”

Business as usual for the cybercriminals

While this decision might open new avenues for how insurance firms deal with ransomware, for the cybercriminals this likely makes little difference. “Ransomware creators are quick to evolve and this will be a minor bump in the road for them,” says Ed Williams, EMEA director at Trustwave’s SpiderLabs. “We also know that bitcoin isn’t the only player in this market. [Cybercriminals] will, therefore, without too much trouble move to an alternative and continue with business as usual.”

He adds that given that new ransomware strains such as Zeppelin Maze and REvil (a.k.a. Sodinokibi) also have data-stealing capabilities, criminals have revenue streams beyond collecting ransoms.

Webroot’s Moffitt also warns that in scenarios where accounts are frozen, criminals might be more likely to leak any high profile or customer data they gathered before encrypting the network.


Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)