Categories
Allgemein

Germany: GandCrab Ransomware Extortionist Convicted

Ransomware

A state theatre in southern Germany, an internationally operating ransomware ring and a criminal trial in which courts suddenly have to dissect covert ransom negotiations, darknet chats and opaque payment flows – it all sounds more like a screenplay than a day in a regional courtroom.

What makes this case so compelling is that it forces a public institution to explain, under oath, how it managed to stay operational under acute digital extortion, and it exposes the practical roles that specialised cybercrime prosecutors, external IT contractors and potential ransom payments actually play. In doing so, the proceedings open a rare window onto a market that normally operates in the shadows and turn into a case study of how tightly technical, legal and political questions are intertwined whenever ransomware hits.

The curtain rises on a cyberattack

In late March 2019 several premieres are scheduled when the theatre’s IT suddenly collapses: workstations boot into dead screens, logins end on extortion messages and day-to-day operations are held together by a few analogue workarounds. Behind the incident, law enforcement sees an internationally active group using ransomware that is also blamed for a series of attacks on German companies and institutions. According to the indictment, the economic damage at the theatres alone reaches a high six-figure sum for restoring and hardening systems, plus a five-figure ransom demand that becomes a central piece of the court’s reconstruction.

The criminal proceedings are not about a single compromised server but about a pattern: 22 affected entities, several successful extortions, total damages in the millions and a defendant portrayed as part of a global cybercrime structure. The ransomware group linked to the case has appeared in international investigations for years and is associated with estimated losses in the hundreds of millions.

The invisible negotiator

What stands out is not that a cultural institution falls victim to ransomware – that has become routine – but how the crisis was defused. While the theatre saves its premiere under emergency conditions, an external IT contractor appears in the operations centre, whose origin no one now seems able to recall in detail. He takes over the overnight negotiation with the extortionists in the darknet, the demand drops and the next morning working decryption keys are available. From the theatre’s point of view the problem is solved at that point; from the court’s point of view it only really starts here, because payment flows from ransom transactions are used to connect specific attacks to specific suspects.

Witnesses from the institution insist they themselves did not transfer any ransom and did not reimburse any expenses of the contractor. Whether investigators suggested, accompanied or even processed the payment themselves remains officially unanswered, citing tactical reasons. The result is a picture in which public bodies move between operational necessity, political acceptability and criminal law, without fully clarifying who actually paid whom.

Criminal liability for ransomware – and for paying up

Under German law the deployment of ransomware is clearly criminal. The Federal Court of Justice has confirmed that encrypting system and user data with malware regularly amounts to computer sabotage and data manipulation, so that at least the provisions on data alteration and computer sabotage are fulfilled. In a classic extortion scenario this is accompanied by the offence of extortion itself, typically at least in its attempted form as soon as ransom is demanded. Given the division of labour within modern ransomware groups, additional implications arise from the law on criminal organisations, including liability for participation in a criminal organisation.

Things become more delicate when it comes to the question whether paying ransom can itself be a criminal offence. The legal debate focuses on three clusters: support of criminal organisations, terrorism financing and money laundering. While liability for supporting an organisation usually requires a fairly high threshold, money laundering has moved into the spotlight because ransom payments are assets stemming from predicate offences of extortion. German courts interpret the requirement that assets must “originate from” an offence broadly, so that even a loose causal link between the underlying crime and the funds can be enough to qualify the payment as a potential object of money laundering.

Academic commentary therefore asks under which conditions those in charge, acting under time pressure and severe business risk in an extortion scenario, might be criminally liable for money laundering, and whether justifications such as necessity can apply. A blanket rejection of any justification is widely rejected; instead, what matters is a concrete balancing of imminent harm, available alternatives, the size of the loss and the weight of the structures being supported. For public bodies there is an additional layer, because budgetary rules and political accountability turn any payment decision into a highly sensitive act.

The quiet statistics of ransom payments

Publicly, almost every organisation insists it would “never pay”. The data suggest otherwise. Representative surveys by the digital industry association Bitkom indicate that in Germany roughly six out of ten companies have been affected by ransomware within a year; about one in eight of these victims reports having paid the demanded ransom. A more recent economy-wide security study concludes that overall about one in seven companies pays in extortion scenarios, sometimes transferring seven-figure sums. Ransomware has thus emerged as the dominant cyber threat in Germany, with sharply rising losses and a growing ecosystem of professional extortion groups.

International sector reports add another nuance: average ransom amounts have risen steeply, while globally the share of victims who actually pay appears to be stagnating or even declining. Pressure is therefore shifting from the frequency of payments towards their volume and towards the collateral costs of recovery, which often far exceed the ransom itself. Additional survey data show that a significant share of affected organisations restore from their own backups or regain access without paying, even though attackers increasingly attempt to corrupt backups and exfiltrate data as additional leverage.

Regarding the “success rate” of paid ransoms, serious studies paint a mixed picture. Many paying victims do receive working keys and regain access to their data, but documented cases of missing keys, defective decryption tools or secondary blackmail and data leaks despite payment are not rare. At the same time, organisations report severe operational disruption regardless of whether they paid; what really matters is resilience, backup strategy and the ability to keep core processes running in crisis mode.

What the Stuttgart case reveals – and what it does not

German lawyer Jens Ferner: Specialist lawyer for criminal law and IT law in Germany

Against this backdrop the Stuttgart proceedings offer a rare look into an otherwise hidden market. They show that ransom payments – or at least very concrete payment plans – do play a role in practice, including in public institutions, and that investigators can and do use the resulting financial traces strategically to identify suspects. At the same time, the case illustrates how roles blur once external negotiators, IT contractors and law enforcement coordinate behind closed doors and no one is eager to state clearly whose funds were used and under whose mandate.

For companies and public bodies, there is an uncomfortable lesson: ransomware has long ceased to be a pure IT issue. It is a governance challenge that bundles criminal liability, management responsibility, political exposure and operational crisis management. Decision-makers in an acute extortion scenario operate in a space where criminal law, insurance conditions, regulatory requirements and public perception intersect – and where a reflex to “just pay” can be as risky as a categorical refusal without a robust contingency plan. In addition, anyone who later appears as a witness in criminal proceedings must be acutely aware that statements on payment flows may trigger their own exposure to criminal liability; even seemingly cooperative witnesses should never attend such hearings without independent legal counsel, regardless of whether they are “only” summoned as witnesses.

The proceedings also underline that Germany now has highly specialised prosecution offices for cybercrime that are demonstrably capable of achieving substantial investigative successes against international ransomware actors. For affected organisations this is a double message: on the one hand, investigative authorities can follow financial and technical traces across borders; on the other hand, this very investigative depth makes it all the more important to involve specialised defence and advisory counsel at an early stage, both for institutions under investigation and for individual staff called to testify.

In that sense, the Stuttgart trial illustrates one core point: the real currency in ransomware incidents is not the attackers’ crypto wallet, but the victim’s ability to remain operational. Preserving that ability requires clear answers long before the incident occurs: under what conditions will the organisation even consider paying, who is authorised to sit at the negotiation table, how are potential criminal law consequences assessed internally and how far should the state go in cooperating with extortionists in the name of investigative success. In Stuttgart these questions have reached the courtroom; most comparable cases will continue to be decided out of sight – and precisely for that reason, institutions would be well advised to prepare their legal and organisational responses before they ever see an extortion screen.

German Lawyer Jens Ferner (Criminal Defense & IT-Law)
Latest posts by German Lawyer Jens Ferner (Criminal Defense & IT-Law) (see all)