Cyber-Extortion Via Ransomware Attacks
1. Definition: Cyber-Extortion and Ransomware
Cyber-extortion occurs when a criminal threatens to damage, block, or disclose data unless a ransom is paid. A common form today is ransomware, malware that encrypts a victim’s files until payment is made.
Key characteristics:
Threats are usually digital (emails, messages, system locks)
Ransom demands are often cryptocurrency (Bitcoin, Monero)
Often targets businesses, hospitals, municipalities, and individuals
Spanish legal framework:
Governed under the Código Penal (Criminal Code):
Article 243: Extortion (extorsión)
Article 248: Blackmail and threats
Articles 197-200: Hacking and unauthorized access
Article 270: Damage to computer systems
Cyber-extortion is prosecuted under combined application of these articles.
2. Elements of Ransomware-Based Cyber-Extortion
To prosecute, Spanish courts generally look for:
Unauthorized access → Hacker enters a system without consent
Control over victim’s data → Encryption or theft
Threat or demand for payment → Direct or implied
Intent to profit → Personal or organized crime
3. Case Law: Cyber-Extortion via Ransomware in Spain
Here are five detailed cases, highlighting legal reasoning, outcomes, and lessons.
Case 1: Audiencia Nacional, Judgment 123/2019
Facts:
A group of hackers deployed ransomware on multiple small businesses in Spain. They demanded payment in Bitcoin and threatened to release sensitive financial data if unpaid.
Legal Issue:
Whether the conduct constituted both extortion (Article 243) and computer damage (Article 270).
Court’s Reasoning:
Encryption of files → damage to information systems
Threat to disclose data → extortion
Use of cryptocurrency → enhances criminal sophistication
Considered aggravating factors: organized crime, multiple victims
Decision:
Convictions for extortion and computer sabotage
Sentences included prison (2–4 years) and fines
Court emphasized that digital threats are equivalent to traditional threats
Importance:
First Spanish case where ransomware + Bitcoin demand was prosecuted as combined offenses.
Case 2: Provincial Court of Barcelona, 2020
Facts:
A 23-year-old hacker locked the patient records of a local clinic, demanding €5,000 to release them.
Legal Issue:
How to classify ransomware attacks on healthcare institutions under Spanish law.
Court’s Reasoning:
Article 270 CP: unauthorized damage to systems
Article 243 CP: extortion via threat
Special aggravation: victim’s vulnerability (healthcare)
Decision:
Conviction for cyber-extortion
Sentence: 3 years prison + compensation for damages
Court stressed societal harm in sensitive sectors
Importance:
Shows courts treat attacks on hospitals as particularly serious.
Case 3: Audiencia Provincial de Madrid, 2021
Facts:
A teenager launched ransomware on a school network, locking student records and threatening to expose disciplinary incidents online.
Legal Issue:
Whether minors can face criminal liability for cyber-extortion.
Court’s Reasoning:
Teen was 16 → juvenile law applies
Emphasis on educational measures, not punishment
Considered intent, harm, and recidivism
Decision:
Juvenile internment for 6 months
Mandatory cybersecurity training and community service
Family liable for partial damages
Importance:
Cyber-extortion is punishable for minors if aged 14–17
Sentencing focuses on rehabilitation
Case 4: National High Court, 2022 (Major Ransomware Gang)
Facts:
Spanish police dismantled an organized gang that targeted companies with ransomware, demanding millions in cryptocurrency.
Legal Issue:
Determining organized crime involvement and aggravating factors for sentencing.
Court’s Reasoning:
Multiple victims → repeated offense
Use of encryption tools → serious technical damage
Organized crime → sentence enhancement
Cross-border payments → complex international law considerations
Decision:
Convictions for cyber-extortion, organized crime, money laundering
Sentences: 6–10 years prison, heavy fines, seizure of cryptocurrency
Importance:
Reinforces that organized ransomware attacks attract severe penalties
Combines extortion + hacking + money laundering
Case 5: Provincial Court of Valencia, 2023
Facts:
An individual deployed ransomware on a logistics company, freezing operations for 72 hours. He demanded payment in cryptocurrency.
Legal Issue:
Classification of ransomware as economic extortion vs. computer sabotage
Court’s Reasoning:
Data encryption → Article 270
Demand for ransom → Article 243
Interruption of business → economic harm considered aggravating
Decision:
4 years prison + compensation
Court highlighted that financial disruption to companies increases severity
Importance:
Reinforces dual classification: ransomware = computer crime + extortion
Economic impact is a key factor in sentencing
Case 6: Audiencia Nacional, 2024 (Cryptojacking + Ransomware)
Facts:
Hackers combined ransomware with cryptojacking (mining cryptocurrency using victim systems) and demanded ransom for removal.
Court’s Reasoning:
Court treated cryptojacking as enhancement of cyber-extortion
Punishment included both computer damage and profit-driven intent
Decision:
5-year prison sentences for main perpetrators
Ordered restitution to all affected companies
Importance:
Shows Spanish courts adapt to emerging cybercrime techniques
Combination attacks are treated more severely
4. Key Takeaways
Ransomware attacks = extortion + computer sabotage
Courts treat attacks on critical sectors (health, schools, logistics) more seriously
Minors are punishable under juvenile law (14–17 years)
Organized and cross-border attacks carry heavy sentences
Cryptocurrency payments do not reduce liability
Rehabilitation, prevention, and restitution are emphasized in sentencing
RELATED Blog
comments