Indiana Court of Appeals: Ransomware Attack Is Not “Computer Fraud”

Businesses and government agencies are increasingly at risk for ransomware attacks. The U.S. Cybersecurity & Infrastructure Agency (CISA) broadly defines ransomware as any "malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid." Attackers commonly demand ransom in the form of blockchain-based cryptocurrencies, such as Bitcoin, because it is "fast, reliable, and verifiable," according to a 2016 blog post by Peter Van Valkenburgh, director of research at the non-profit Coin Center.

Valenburgh noted that Bitcoin allows a ransomware attacker to "simply watch the public blockchain to know if and when a victim has paid up; she can even make a unique payment address for each victim and automate the process of unlocking their files upon a confirmed bitcoin transaction to that unique address."

Oil Company Purchases $35,000 in Bitcoin to Regain Access to Encrypted Servers

But does demanding a ransom in the form of Bitcoin qualify as "computer fraud"? Indiana’s intermediate state appellate court recently confronted this question. The case before the court, G&G Oil Co. v. Continental Western Insurance Company, dealt with the aftermath of a successful November 2017 ransomware attack. The plaintiff, G&G Oil Company, Inc. received a ransomware demand after being locked out of its servers by an unknown attacker. As explained in court documents, the attacker "gained access to G&G’s computer network, encrypted its servers and most workstations, and password protected its drives."

The attacker initially demanded a random of 3 bitcoins. G&G paid the ransom. The attacker then demanded 1 additional Bitcoin before they would send G&G the necessary passwords to regain access to its servers. Again, G&G complied, and this time the attacker released the passwords. G&G ultimately paid approximately $35,000 to purchase the four-Bitcoin ransom.

G&G subsequently filed a claim with its commercial liability insurer, Continental Western, Group, to recover its losses related to the ransomware attack. G&G’s policy specifically covered acts of "computer fraud," which its policy defined as any "loss of or damages to [property] … resulting directly from the use of any computer to fraudulently cause a transfer of that property" to someone outside of the company’s premises or bank. Continental Western rejected the claim, however, stating ransomware attacks were covered by separate "computer virus and hacking" coverage that G&G had previously declined to purchase.

As you probably guessed, G&G responded to the insurance company’s denial by filing a lawsuit. The company asked a judge in Marion County, Illinois, to order Continental Western to indemnify it against the losses from the ransomware attack. The judge sided with the insurance company, however, finding that the attacker’s actions, while "devious, tortious, and criminal," did not actually constitute "fraud," which was what the insurance policy required for coverage.

Attacker Acted Illegally, But Did Not Engage in "Deception"

G&G appealed the judge’s ruling to the Indiana Court of Appeals. On March 31, 2020, the appeals court issued an opinion affirming the trial judge’s decision to grant summary judgment to Continental Western (i.e., dismissing G&G’s lawsuit). The Court decided the case without first conducting an in-person oral argument, which was originally scheduled but later canceled due to the COVID-19 pandemic.

Writing for the Court of Appeals, Judge Paul D. Mathias said that as defined by the dictionary, fraud is the "intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right." For example, posing as a customer to transfer money out of their bank account is clearly fraud. But this was not a case where the attacker took G&G’s money without its consent. Indeed, Judge Mathias noted the attacker "did not pervert the truth or engage in deception in order to induce G&G to purchase the Bitcoin."