Criminal Lawyers in Ransomware & Damages Defense

Technical defense in computer sabotage crimes (Art. 264 CP). Data encryption, botnets, and liability attribution

Last updated: 11 June 2026

Expertise in Ransomware and Damage Crimes

The ransomware and computer-damage offences, regulated in Arts. 264 to 264 quater of the Spanish Criminal Code, protect the integrity and availability of computer systems and data. After the reform operated by Organic Law 1/2015 in compliance with Directive 2013/40/EU on attacks against information systems, the Criminal Code articulates a gradual system: Art. 264 CP sanctions damage to computer data; Art. 264 bis CP, damage to the operation of computer systems (including denial-of-service attacks); Art. 264 ter CP, the production, acquisition or facilitation of attack tools; and Art. 264 quater CP, the criminal liability of the legal entity. Consolidated case-law has precisified the contours of the type, especially in double-extortion cases (encryption + threat of publication) and forensic attribution. As criminal lawyers specialising in cybercrime, we articulate defence with certified forensic computer expertise.

The typical modalities cover an increasingly sophisticated catalogue. Classic ransomware: massive file encryption through malware (LockBit, BlackCat, REvil, Conti) and ransom demand in cryptocurrencies to deliver the decryption key. Double-extortion ransomware: in addition to encryption, prior exfiltration of sensitive data and threat of publication on the dark web. Triple extortion: incorporating DDoS attacks against the victim's public domain and coercive notification to their customers. DDoS attacks (distributed denial of service) deployed from botnets composed of thousands of infected zombie devices. Cryptojacking: clandestine cryptocurrency mining using victim resources. Wiping: destructive data erasure without economic intent (frequently linked to hacktivism or geopolitical conflicts). And the distribution of wipers or logic bombs inserted in source code or software updates.

The penalties are severe due to the usual real concurrence. The basic type under Art. 264.1 CP (damage to computer data) sanctions with prison from 6 months to 3 years. When specific aggravating factors concur (Art. 264.2 CP: acts of special severity, systematic or lucrative conduct, harm to critical infrastructures), penalties rise to 2-5 years' prison; and, in extraordinary cases, to 6 years. Art. 264 bis CP (damage to system operation) has an analogous regime. The concurrence with extortion (Art. 243 CP) in ransomware cases adds 1-5 years' prison. Double extortion further activates the types of Art. 197 CP (revelation of secrets), with prison up to 5 years. For companies, Art. 264 quater CP provides criminal liability of the legal entity with fines exceeding one million euros, complemented by GDPR administrative liability with fines up to EUR 20 million or 4% of annual global turnover.

The technical defence articulates several complementary lines. First, the alternative forensic attribution: in DDoS or ransomware investigations, the client's IP may appear in logs without implying material authorship; technical expertise certifies that the device was infected, part of a botnet (Mirai, Mozi) or impersonated by IP spoofing, neutralising the charge. Second, the absence of intent: the client was unaware of the unlawful nature of the tool used, or believed they were carrying out authorised pentesting. Third, the challenge to the digital chain of custody: many police reports lack cryptographic hash, time-stamping and adequate forensic traceability of logs, ransom messages and malware samples, opening avenues of evidentiary nullity. Fourth, when representing the corporate victim, we articulate the GDPR notification to the AEPD within 72 hours, the cyber-insurance claim, negotiation management with the attackers (without recommending ransom payment as a general rule) and coordinated civil and criminal procedural articulation.

In current forensic practice we observe exponential growth in ransomware and computer-damage proceedings, especially linked to attacks against hospitals, city councils and universities, critical energy and transport infrastructures, SMEs with low cyber hygiene, and supply chains (SolarWinds, Kaseya-type supply-chain attacks). Directive NIS2 (EU 2022/2555) on cybersecurity, Regulation DORA EU 2022/2554 on financial-sector digital operational resilience, Regulation RCE EU 2022/2557 on critical-entity resilience, the Cyber Resilience Act EU 2024/2847 on digital devices, Organic Law 1/2025 on Justice Service Efficiency and the EU GDPR 2016/679 have transformed the regulatory framework. At Alonso Sala, we tackle each file with a multidisciplinary criminal-administrative-cybersecurity team: certified forensic experts (CISSP, GCFA, OSCP), coordinated management with INCIBE and the AEPD, urgent procedural articulation and, where appropriate, discreet negotiation with the incident actors.

Ransomware Defense Services

Our ransomware and damage crime specialists orchestrate the defense through advanced forensic computer expert reports, disassociating clients whose devices were instrumentalized through botnets.

Attribution Defense

The difficulty for the prosecution is proving who launched the attack. Attacks usually come from globally distributed zombie computer networks (botnets). If the client's IP appears in the logs, we defend that their computer was just another victim of the botnet, used as a gateway by the real criminals, and not the origin of the attack.

lock_clock

Why Alonso Sala for Ransomware?

Computer damage and ransomware. Forensic attribution expert and instrumentalized victims defense

securityForensic computer expert: botnet analysis for involuntary instrumentalization defense.
securityAEPD notification experience (72h) to avoid administrative sanctions.
securityClaims on cyber insurance policies: extortion and data recovery coverage.
securityDDoS defense: IP doesn't prove authorship (traffic pattern correlation insufficient).

Guide to Property Crimes in Spain: Defense Strategies

Property crimes (Crimes Against Assets) are regulated in Title XIII of the Spanish Criminal Code (Art. 234-304). These offenses range from petty theft to complex economic fraud, with penalties varying greatly depending on the amount involved, the method used, and any aggravating circumstances.

Key Distinctions: Theft, Robbery, and Fraud

Offense	Article	Key Element	Basic Penalty
Minor Theft (Hurto leve)	Art. 234.2	<400€, no force	Fine 1-3 months
Theft (Hurto)	Art. 234.1	>400€, no force	6 months – 18 months
Aggravated Theft (Art. 235)	Art. 235	Special items/multi-recidivist	1 – 3 years
Robbery with Force	Art. 240	Breaking in/tools	1 – 3 years
Robbery with Violence	Art. 242	Direct threat/intimidation	2 – 5 years
Fraud (Estafa)	Art. 249	Deception + financial harm	6 months – 3 years

Main Defense Strategies in Property Crimes

Challenge the Animus Lucrandi

Demonstrate that the accused had no intent to profit — a valid defense in alleged theft cases.

Contest Valuation

Dispute how the value of the stolen item was assessed. Below €400 = minor offense with much lower penalties.

Prior Consent or Ownership Claim

In disputes between acquaintances, prove the accused believed they had a right to the item.

Recidivism Analysis

Many aggravated theft charges rely on prior criminal record. Challenge the computation of prior offenses.

Chain of Custody (Receiving Stolen Goods)

Challenge the prosecution's evidence that the accused knew the items were stolen.

Error of Type Defense (Fraud)

In commercial fraud cases, demonstrate that the accused genuinely believed their representations were true.

Critical: Time Limits for Evidence

In property crimes, digital evidence (CCTV footage, mobile location data) is often deleted within 30 days. Contacting a specialist lawyer immediately after arrest or charge is essential to preserve exculpatory evidence.

quiz

FAQs

Should I pay the ransom?expand_more

The police recommendation is NEVER to pay. Paying finances organized crime, does not guarantee you'll get your data back (they may ask for more), and marks you as a victim willing to pay for future attacks. The solution is prevention: backups.

Does my insurance cover the cyberattack?expand_more

It depends on your policy. Specific cyber policies may cover the cost of extortion and data recovery, but general civil liability insurance usually excludes it. It is vital to review the fine print.

Is it a crime not to report the attack to the AEPD?expand_more

If the ransomware has resulted in a 'personal data security breach' (e.g., customer data has been stolen), you have 72 hours to notify the Spanish Data Protection Agency. Failure to do so carries very serious administrative fines.

If my computer was used for an attack, how do I defend myself?expand_more

Our defense is based on a computer expert report showing that your device was infected with a Trojan or was part of a 'botnet' (network of zombie computers). This makes you an instrumentalized victim, not the perpetrator of the crime.

What is a DDoS attack?expand_more

It's a 'Distributed Denial of Service' attack. It doesn't seek to steal data, but to take down a website or server by bombarding it with thousands of requests from a botnet. It is a crime of computer damage (Art. 264 bis CP).

What is the penalty for a computer damage crime?expand_more

Imprisonment from 6 months to 3 years. If serious damage is caused or critical infrastructure is affected, the penalty can increase to 6 years in prison.

Is paying a ransomware ransom illegal?expand_more

Paying is not illegal, but it is discouraged. It does not guarantee data recovery, it finances criminal activity, and it can create problems under anti-money-laundering rules if paid in cryptocurrency to sanctioned entities.

Does a company hit by ransomware have a duty to notify?expand_more

Yes. Under the GDPR, if the attack compromised personal data, the company must notify the AEPD within 72 hours and, if the risk is high, also the affected individuals.

Can computer damage caused by ransomware be quantified?expand_more

Yes. It includes: incident response costs, lost profits due to downtime, system restoration costs, any ransom paid, regulatory penalties and reputational damage.

Does cyber insurance cover ransomware attacks?expand_more

Many cyber-risk policies cover ransomware damage, including incident response, business interruption losses and, in some cases, the ransom payment itself.

Looking for a Ransomware & Damages Defense Lawyer in Spain?

As a national law firm, we offer specialized criminal defense in courts across Madrid and the rest of Spain. We handle each Ransomware & Damages Defense case with the urgency and technical rigor it requires from day one.

We also serve

Madrid Alicante Marbella Seville Málaga Bilbao Zaragoza

View all locations →

listTable of Contents

shieldClaves de la Defensa: Ransomware & Damages Defense

Forensic Attribution

Expert: device victim of botnet, not attack origin (IP insufficient).

Involuntary Infection

Trojan without user knowledge/control = instrumentalization.

AEPD (72h)

Notify personal data breach or serious administrative fines.

gavelElementos del Delito

check_circleRansomware:Data encryption for extortion (damage Art. 264 + extortion 243).
check_circleDDoS:Distributed denial of service (botnet) - computer damage.
check_circleDouble Extortion:Encrypt + threaten to publish stolen data (aggravated).

gavelConsecuencias Penales

Prison 6m-3 years

Basic computer damage (Art. 264 bis).

Up to 6 years

Critical infrastructures or serious economic damage.

Extortion

If ransom demanded: +extortion Art. 243 (penalty accumulation).

call

Ransomware Victim or Accused?

Forensic attribution defense. Botnet expert for involuntary instrumentalization. AEPD notification.

Contact Nowarrow_forward

linkDelitos Relacionados

Do you need specialised legal assistance?

The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.

Contact Alonso Sala

Call: +34 91 078 65 74