Ransomware is a form of cybercrime in which data are encrypted or copied and a ransom is demanded in exchange for restoring access or preventing publication. In the Netherlands, Project Melissa brings together the Public Prosecution Service, the police cybercrime team, the National Cyber Security Centre (NCSC), Cyberveilig Nederland and private cybersecurity firms. Within this collaboration, private incident response (PIR) firms are often engaged at an early stage to analyse and mitigate incidents. In doing so, they may identify elements of the attackers’ infrastructure, such as exfiltration servers that store data from one or more victims and may reveal ongoing attacks against third parties.
This study, carried out in the context of Project Melissa in cooperation with Cyberveilig Nederland, examines the legal framework governing such activities by PIR firms. Under Dutch criminal procedure law, only the police are authorised, under specific conditions, to gain covert remote access to computer systems. The report analyses whether private actors may lawfully access attackers’ infrastructure, for example to warn other organisations or to retrieve data, and concludes that current criminal and administrative law do not provide a clear legal basis for these actions and that they may fall within the scope of criminal prohibitions. The study outlines several possible directions for adjusting the framework, with a view to clarifying the position of PIR firms in ransomware incident response.
You can read the report here.