Ransomware injunctions: 8 key learnings when anonymous cyber attackers don’t engage

Main takeaways

• The courts discourage blackmail to be rewarded.
• Evidence, evidence, evidence: ensure contemporaneous documentation and preserve relevant evidence from day one as they may be essential in seeking injunctions and orders.
• Ransomware victims can seek urgent injunctive relief from the court.
• Courts expect claimants to progress claims to conclusion: seeking interim injunctions is the start, not the end-game. Claimants are expected to bring an action to conclusion, such as filing a substantive claim and applying for a default or summary judgment down the line.
• Cyber attackers’ non-attendance will not hinder proceedings: the court will proceed if the defendant’s non-engagement is deliberate.
• Anonymity for corporate victims is possible but must be justified and necessary. General reputational impact itself is insufficient.
• Protecting third-party data is highly important: the court places significant weight on the presence of special category data and sensitive personal data.
• Alternative service is increasingly accepted.

Summary

ZAB v Persons Unknown (a high court judgment on 19 March 2026) related to the defendant’s apparent unlawful exfiltration, publication of exfiltrated information on the dark web and likely retention of the claimant’s data following ransom demands. The court granted the claimant continued anonymity to protect third parties and ensure blackmail was not encouraged or rewarded. It also extended an injunction restraining the defendant from using, publishing, communicating or disclosing the exfiltrated information. With regard to service, the court permitted time for service of the claimant’s application to be abridged and an alternative service method retrospectively.

Background

10 February 2026: the claimant received a ransom note in relation to the unlawful exfiltration. The claimant did not engage with the demands. 

16 February 2026: some exfiltrated information, including sensitive personal data, was released on the dark web. 

20 February 2026: the court made orders (see the next section) following a without notice hearing. 

The claimant then tried unsuccessfully to serve the court’s order, the application notice and the claim form by court-permitted alternative method of service. The claimant subsequently sent the documents via email, eliciting the defendant’s reply. The defendant did not otherwise engage with the claimant or comply with the injunctions. 

16 March 2026: the claimant sent the Particulars of Claim to the email address previously used. An application notice for the hearing was issued on the same day (less than 3 clear days before the hearing). 

19 March 2026: the return date hearing took place. The defendant did not attend the public hearing.

Court’s Order on 20 February 2026

The court made the following orders:

• It granted interim injunctions to restrict the defendant from using, publishing, communicating or disclosing the exfiltrated information;
• It ordered the defendant to deliver up and/or delete and/or destroy the exfiltrated information in its possession, custody or control;
• It ordered the defendant to provide a witness statement explaining compliance of the injunctions and details with regards to any disclosure to third parties;
• It ordered the defendant to provide their full names and address for service; and
• It granted the claimant anonymity.

Issues in the Hearing on 19 March 2026

The claimant sought:

1. time for service of the application (issued on 16 March) to be abridged;
2. an extension of the interim prohibitory injunction;
3. directions;
4. a continuation of the derogations from open justice; and
5. an order for retrospective permission for alternative service by a different method to that set out in the 20 February 2026 order.

Court’s Consideration and Rationale

• Proceeding in the defendant’s absence: the court has discretion to proceed in a defendant’s absence (CPR 23.11). The judge was satisfied that the defendant received the order of 20 February and was aware of the hearing on 19 March. The judge was also satisfied that the tests in relation to section 12(2) of the Human Rights Act 1998 were met though noting it was debatable as to whether the provision was engaged in these circumstances.

• Service:

  - Regarding issue (1), the court granted abridgement of time for service in accordance with CPR 23.7(4) on the basis that no prejudice was caused to the defendant who had not engaged with the proceedings and failed to comply with the injunctions.

  - With respect to issue (5), the court gave permission for retrospective alternative service under CPR 6.15(2) as the claimant had tried to serve documents using the method directed in the 20 February 2026 order but was unable to do so due to matters beyond its control. The court also found that the alternative method, the email, was likely to have come to the defendant’s attention in view of the defendant’s reply and it would likely be the same moving forward.

• Continuing the interim injunction: as for issue (2), on the basis that the claimant’s confidential information remained in the defendant’s unlawful possession and that the defendant had released some of the exfiltrated information on the dark web and not complied with the February court order, the court found that the American Cyanamid v Ethicon test was met; specifically, that the claimant had shown there was a serious issue to be tried, damages would not be adequate, and the balance of convenience plainly lay in the claimant’s favour. The court therefore found it necessary and justified to continue the interim injunction.
• Directions (issue 3)

The judge noted that in cases involving Persons Unknown, claimants are required to bring the action to a conclusion. 

The court granted directions for the claimant to:

- conclude the action, for example, applying for default judgment or summary judgment in the event that the defendant failed to serve a Defence in due course; and

- seek wider injunctive relief against any non-party served with the order.

• Derogations from the open justice (issue 4):

The court considered two derogations:

- Restrictions with respect to the defendant’s and third parties’ access to documents in relation to confidential schedules and exhibits and confidential witness statements. The court considered these restrictions to be appropriate. For the defendant, these restrictions would apply until it provided its name and address for service (which was included in the February order).

- Continued anonymity for the claimant. The Practice Guidance on Interim Non-Disclosure Orders confirmed open justice principles applied in the current context and derogations could only be justified in exceptional circumstances where strictly necessary. Established case law also indicates that named parties to litigation should generally be available. However, in the current case, the judge was satisfied that anonymity should remain in place to ensure that blackmail would not be encouraged or rewarded and to protect individual third parties and their sensitive personal data (the exfiltrated information likely included references to health conditions, religion and dates of birth). The court was also satisfied that the intrusion on open justice was no more than was necessary in the circumstances.

Court's Decision

The court granted the claimant’s application subject to certain amendments, including expressly stating the continuation of anonymity.