The State of California has enacted legislation specifically to criminalize the spread of ransomware. The new law, which came into effect on Jan. 1, 2017, allows law enforcement agencies to charge and convict hackers for ransomware offences, rather than under extortion laws, as they have previously.
The new law was introduced by Senator Bob Hertzberg (D-Van Nuys), and signed in September 2016. The felony charge carries a maximum sentence of four years in prison, the same as extortion, but broadens the scope under which charges are applicable. Introducing ransomware to any computer is now a crime in California, while under extortion statutes that initial act could have been insufficient to convict a hacker who did so.
As expected, ransomware became much more common in 2016. In the first three months of 2016, the FBI says $209 million in ransomware payments were made in America, compared to $25 million for all of 2015, according to a statement by Senator Hertzberg. Wyoming was the first state to write ransomware specifically into its criminal code, in 2014.
The statement also points out the difficulty of fully assessing the impact of ransomware, given that organizations sometimes are reluctant to admit having been victimized by it for fear of damage to their reputation. Also, hackers sometimes do not unlock computers even after ransom is paid, and unlocking computers without paying it can require costly proffesional assistance.
The Bill SB 1137 was co-sponsored by Los Angeles Country District Attorney Jackie Lacey and industry advocacy group TechNet.
“Extortion by ransomware is immensely costly and terrifying to victims whose data is held hostage,” Lacey said. “And when criminal hackers target hospitals, fire and rescue it threatens the public’s safety. SB 1137 has clarified California law to make sure that a criminal who infects computers or networks with ransomware can be prosecuted for extortion.”
The legislation has also been criticized as unnecessary, however.
“If this legislation gives prosecutors the tools that they didn’t have before, where are the cases that they have lost because they didn’t have these tools?” Brandon Perry, a senior consultant for NTT Com Security, told the Los Angeles Times when the legislation was being considered. “Authorities are focused on prosecuting criminals that they can’t even find, as opposed to educating the victims to prevent this from happening again and again.”
Careful protection of end-points, strong network protection and segmentation, and “the 3-2-1 backup rule” are among steps organizations can be educated about to better protect themselves.