Please set up your API key!

The Rough Notes Company Inc.

Ransomware rampage

Ransomware rampage

Ransomware rampage
March 01
12:48 2022


Digested from case reports published online


Ransomware Rampage

G&G Oil purchased commercial insurance from Continental Western Insurance Company for the period of June 1, 2017, to June 1, 2018. The policy contained commercial crime coverage that provided:

… Computer Fraud

We will pay for loss or damage to “money,” “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:

To a person (other than a “messenger” outside those “premises”; or

To a place outside those “premises”.

On November 17, 2017, G&G Oil discovered it was locked out of its computer systems. The company’s hard drives were encrypted, and one screen prompted: “To decrypt contact [email user]. Enter password.” G&G Oil learned that its operations had been halted by a ransomware attack. To decrypt the contents of its own hard drives, G&G Oil believed it would have to contact the person or entity responsible for the attack to regain access.

After consulting the Federal Bureau of Investigation and other experts, G&G Oil initiated contact with the hackers to negotiate the release of its servers. G&G Oil ultimately paid the requested ransom with four bitcoins valued at nearly $35,000. Thereafter, G&G Oil regained access to its computer systems.

G&G Oil submitted a claim for coverage of its losses under its policy with Continental Western. Continental denied the claim, concluding that computer hacking was “specifically excluded” from the policy because G&G Oil declined computer hacking and computer virus coverage in an “agribusiness property and income coverages” section of the policy. Further, Continental denied the claim because it believed the bitcoin was voluntarily transferred by G&G Oil to the computer hacker and therefore the hacker did not “transfer funds directly” from G&G Oil. G&G Oil then filed a complaint seeking judicial enforcement of the policy’s commercial crime provision.

G&G Oil filed a motion—and Continental a cross-motion—for summary judgment. The trial court first found that G&G Oil’s loss was not “fraudulently caused” but was instead the result of theft. Second, the court determined that G&G Oil’s payment to the hacker did not qualify as a loss “resulting directly from the use of a computer” under the policy and instead “was a voluntary payment to accomplish a necessary result.” Accordingly, the trial court granted summary judgment in favor of Continental. G&G Oil appealed.

On appeal, the court of appeals unanimously affirmed the trial court’s decision, determining that “the hijacker did not use a computer to fraudulently cause G&G to purchase bitcoin to pay as ransom” and that “[t]he hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase the bitcoin.”

G&G Oil petitioned for transfer, which was granted, thereby vacating the court of appeals opinion.

G&G Oil raised the same issues on transfer as it did below: Whether the ransomware attack constituted “fraudulent” conduct under the terms of the Continental policy and whether its loss “result[ed] directly from the use of a computer.” G&G Oil answered both questions in the affirmative while Continental argued that the trial court and court of appeals properly applied principles of insurance contract interpretation to affirm its own decision to deny coverage.

According to the Supreme Court of Indiana, the term “fraudulently cause a transfer” can be reasonably understood as simply “to obtain by trick.”

Construing the evidence in the light most favorable to Continental, the court could not say with confidence that G&G Oil had designated reliable evidence to entitle it to summary judgment.

Nor, the court found, was summary judgment appropriate for Continental. The court believed there was a question as to whether G&G Oil’s computer systems were hacked by trick and that resolving this question in G&G Oil’s favor precluded summary judgment for Continental.

G&G Oil contended its loss resulted directly from the use of a computer under the terms of the policy because a computer was part and parcel of the entire scheme. Continental argued, and the trial court concluded, that G&G Oil’s voluntary transfer of bitcoin was an intervening cause that severed the causal chain of events.

Analyzing G&G Oil’s actions in this case, the supreme court said, its transfer of bitcoin was nearly the immediate result—without significant deviation—from the use of a computer. Though certainly G&G Oil’s transfer was voluntary, it was made only after consulting with the FBI and other computer tech services. The designated evidence indicated that G&G Oil’s operations were shut down and, without access to its computer files, it is reasonable to assume G&G Oil would have incurred even greater loss to its business and profitability. These payments were “voluntary” only in the sense that G&G Oil consciously made the payment. To the court, however, the payment more closely resembled one made under duress. Under those circumstances, the “voluntary” payment was not so remote that it broke the causal chain. Therefore the court found that G&G Oil’s losses “resulted directly from the use of a computer.”

Although G&G Oil’s losses resulted directly from the use of a computer, the court found that neither party was entitled to summary judgment. The supreme court therefore reversed the trial court’s grant of summary judgment in favor of Continental, affirmed its denial of G&G Oil’s motion for summary judgment, and remanded the matter for further proceedings.

G&G Oil of Indiana, Inc. v. Continental Western Insurance Company—Indiana Supreme Court—March 18, 2021—No. 20S-PL-617.

About Author

Jim Brooks

Jim Brooks

Related Articles






Philadelphia Let's Talk - Click Here

Spread The Word & Share This Page

Trending Tweets