Judge Orders $2.8 Million in Restitution for Ransomware Victims

An Ontario Court has ordered a convicted cybercriminal to pay $2.8 million in restitution to eight victims of ransomware attacks, illustrating how costly these attacks can be to organizations across Canada and creating a glimmer of hope that some of these significant costs could be recoverable.

Earlier this year, the Ontario Court of Justice sentenced a man who pleaded guilty to carrying out ransomware attacks against 17 Canadian entities to seven years in prison. The Court also ordered the defendant to pay millions of dollars in restitution to eight of his victims.

Stolen Data “Would Fill an Entire Hockey Arena”

The defendant in this case was an affiliate of the Netwalker ransomware gang who allegedly received more than US$15 million in ransomware payments from victims around the world, according to information the RCMP received from the FBI.

The decision noted that the RCMP seized 20 terabytes of victims’ data from the defendant in January 2021. “I was told that the data seized from the Defendant, if printed, would fill an entire hockey arena,” Justice G.P. Renwick wrote in his decision.

Attacks Proved Lucrative for Defendant

Police also seized $640,000 in cash from the defendant’s home and $420,941 from his bank accounts, indicating he had more than $1 million in liquid assets when the RCMP executed its search warrants in January of last year.

The defendant admitted that more than 1,200 Bitcoins related to his Netwalker activities passed through his e-wallet, and the entirety of his ransomware activities involved more than 2,000 Bitcoins. The RCMP seized more than 700 Bitcoins from the defendant’s digital wallets and accounts.

Victims Suffered Reputational and Operational Harm

The Court ordered the defendant to pay $2.8 million in restitution to eight victims in amounts ranging from $2,500 to $999,239. The decision noted that the defendant’s ransomware attacks resulted in far more than financial losses for the victims.

“Victims suffered commercial, reputational, and operational harm; these offences caused other unquantifiable losses to the victims in terms of time, productivity, and resources dedicated to replacing/reinforcing security measures to prevent similar attacks,” Justice Renwick wrote.

The Court added that in some cases where victims refused to pay a ransom, their data was leaked, “causing untold further harm.”

What Can Organizations Do to Prevent Attacks?

As we’ve discussed in recent blogs, ransomware attacks are becoming increasingly “professional” – not to mention costly. The average ransomware attack in Canada cost victims close to half a million dollars last year. And as Justice Renwick pointed out, the cost to a victim organization’s reputation and operations is often unquantifiable.

What Can Organizations Do to Respond to Attacks?

In addition to being prepared for an attack, engaging the right incident response team will assist your organization to appropriately and effectively respond to an attack and minimize related risks. Among other things, your response team will assist you in determining what notifications are required or may be helpful to minimize risks relating to the attack. Working with law enforcement can be an important part of incident response and, hopefully, will also increasingly be part of a recovery strategy for losses, as in this case. The Canadian Centre for Cyber Security provides more information and other avenues for reporting cyber incidents.

The MLT Aikins Privacy, Data Protection & Cybersecurity team has extensive experience helping clients develop effective strategies to prevent and respond to ransomware attacks. Download our cybersecurity checklist to assess your organization’s current cybersecurity strategy.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.