Legislation has yet to catch up with technology. Perhaps – finally legislators will begin to understand that they have some power to actually protect consumers where new technologies are concerned. There is hope coming out of California where tech law is concerned.
State legislation to outlaw ransomware is drawing broad support from tech leaders and lawmakers, spurred by an uptick in that type of cybercrime and a series of recent attacks on hospitals in Southern California.
The bill, authored by state Sen. Bob Hertzberg (D-Van Nuys), would update the state’s penal code, making it a felony to knowingly use ransomware, a type of malware or intrusive software that is injected into a computer or network and allows a hacker to hold data hostage until money is paid.
Ransomware has become a lucrative industry over the last three years, affecting schools, police departments and healthcare businesses. Trojans that work like viruses, such as CryptoLocker — which began appearing in 2013 — can be unleashed by users with few technical skills and reel in profits.
Proponents say the proposed ransomware law is the right step to counter attacks difficult to prosecute under existing statutes that are not tailored to combat computer crime. But some question just who will get caught in the dragnet, as such incidents are tough to trace and culprits are often overseas.
Victims nationwide lost more than $209 million in ransomware payments in the first three months of 2016 alone, compared with $25 million in all of 2015, according to the FBI.
But no arrests were made. Nor were arrests made in more than half a dozen of ransomware incidents investigated by the Cyber Investigation Response Team of the Los Angeles County district attorney’s office, which is a co-sponsor of the bill.
Ransomware attacks are instigated when a person clicks on a compromised website or opens an infected email. The programs encrypt files, such as photographs, videos or documents, and they cannot be accessed without an encryption key.
Security researchers first saw similar attacks in 1989, when the so-called AIDS Trojan virus locked people out of their files if they clicked through a quiz about their sexual and drug habits. Ransomware has evolved over the last decade with the creation of “police screen lockers,” pop-up screens that appear to be created by law enforcement agencies that fraudulently order people to pay fines after accusing them of downloading pirated movies or child pornography.
At the federal level, prosecutors can use the Computer Fraud and Abuse Act to target ransomware. But state prosecutors typically must pursue such cases under laws against extortion, or those that target threats to injure a person or property that have not been acted upon.