Law and Ransomware – The Legal perspective for consumer and Enterprise

The growth of cyberattacks has been on a steady rise and so are hackers engaged in ransomware.

In these kind of situations cyber blackmailers extract sensitive data or encrypt important files and in exchange to access this data a certain payment is taken.

Multiple organisations from diverse sectors have fallen prey to this. One of the biggest disadvantages is that the malware programs have a restricted lifespan allowing the company’s files to be completely disrupted once they cross the time limit. This make it even tougher for organisations as they have to act quickly and also ensure that there is no compromise on the data.

These are some US laws that have been mentioned here:

US Denial of Service  Laws

• 18 USC – 1030(a)(5)(A): Transmission of program, information, code, or command resulting in damage.
• 18 USC – 1030(a)(5)(A)(ii-iii): Accessing a computer without authorization, resulting in damage.

US Extortion Laws
• 18 USC – 1030(a)(7): Transmitting with intent to extort, communication containing threat to cause damage.
• 18 USC – 875(b),(d) (HOBBS ACT): Transmitting with intent to extort, threat to kidnap or harm a person, or threat to injure a person’s property or harm a reputation.

US Internet Fraud  / Piracy Laws
• 18 USC – 1030(a)(4): Accessing a computer to defraud and obtain something of value.
• 18 USC – 1028: Fraud in connection with identification documents and authentication features.
• 18 USC – 1343: Wire fraud.
• 15 USC – 6821: Fraudulent access to financial information.

US Unlawful Access Laws 
• 18 USC – 2701: Unlawful access to stored communications.
• 18 USC – 1029: Access Device Fraud. This includes ten separate criminalized activities related to access devices.

Ransomware Trends:
Initially when ransomware started it was usually sent as an attachment which when opened infected the computer. But of late the evolution of drive-by ransomware has increased where users can infect their computers simply by clicking on a compromised website, often lured there by a deceptive e-mail or pop-up window. Another new trend involves the ransom payment method.

While some of the earlier ransomware scams involved having victims pay “ransom” with pre-paid cards, victims are now increasingly asked to pay with Bitcoin, a decentralized virtual currency network that attracts criminals because of the anonymity the system offers. Ransomware that can lock the phones too are leading in the trend.

Measures to be taken by your organisation in case of a ransomware attack:

• Activate the entity’s incident response plan and follow its requirements
• Notify the entity’s cyber liability insurer as soon as enough information is available to indicate a possible ransomware attack and within any time period required under the applicable policy.
• Determine the origin of the incident and eradicate the ransomware or remediate vulnerabilities that permitted the ransomware attack and propagation.
• Once business operations are restored assistance from legal counsel must be sought. Counsel can advise on the type of information appropriate to disclose to law enforcement, while taking steps to establish and maintain the attorney-client privilege and, if appropriate, the attorney work product protection.

Further reading:
https://askwonder.com/q/everyone-would-agree-that-ransomware-is-illegal-but-is-it-are-there-laws-we-can-point-to-like-56cbde4d465c4e1a00e0b330
http://www.kentlaw.edu/faculty/rwarner/classes/cybercrime/federal.htm
https://www.us-cert.gov/ncas/alerts/TA16-091A
https://www.law.cornell.edu/uscode/text/18/1030