Ransomware: What is it and what are the relevant laws?

In general, ransomware is a type of malware (i.e., malicious software) that is designed to take control of an electronic communication device, prevent its owner from accessing the electronic communication device, notify its owner that the electronic communication device has been held ransom, demand payment from the owner, and return access to electronic communication device after payment. There have been many instances of ransomware attacks when the hackers have taken control of a company’s servers and prevented its employees from accessing the network and database servers. The hackers would notify the employees by email and demand payment of funds in order to return access to their computers. Now, in some instances, a payment was necessary, but in some exceptional cases the company owners can have an advantage over the hackers and not be required to transfer the funds.

There are several types of ransomware. First, there are applications that fall under the category of scareware and intended to create fear for the recipients and force them to purchase unnecessary software. Second, there is prankware which is intended to cause fear by sending unanticipated pictures, sounds, or videos. For example, NightMare was a type of prankware that would remain dormant on the recipient’s computer and launch itself by changing the computer screen to a skull and playing a loud noise. Third, there is a group of crypto-ransomware named as GPCode or PGPCoder that claims to use PGP encryption to prevent file access. So, in other words, it’s a virus that encrypts files on the infected computer and demands a ransom to release access to the encrypted files. The hackers have been able to become more effective with their tools. The new generation of this type of ransomware denies user access to files by writing encrypted files to a new location and deleting the original file. However, this strategy was ineffective since a file restoration would allow the victim to recover the files. Fourth, CryptoLocker became the new generation of ransomware. It shares similar distribution models of previous ransomware variants and relied on phishing attacks with portable executable attachments. It would install itself on the user’s profile folder and add a registry key to run on startup to maintain persistence. Then, it would start to communicate with the command and control server to generate an RSA-2048 key pair and send the public key to the victim host.

What are the relevant laws?

The transfer of any kind of malicious software (a/k/a “malware”) is against the law in many jurisdictions. So, there are state and federal laws that prohibit these actions. In California, Senate Bill 1137, which amended Penal Code § 523, prohibits the transfer of ransomware to any third party. In fact, this type of conduct constitutes a felony. There is more information here on computer crime statutes in different states. Also, DHS Cyber Hunt and Incident Response Teams Act requires the Department of Homeland Security to create teams in order to provide assistance to organizations for protecting their network systems.

What are the common protection tools?

First, use a proper backup and data recovery system for your computers since it’s one of the primary defense mechanisms that has shown to be effective against ransomware attacks. Second, prevent using or implementing network share access control because if a system or user who is able to write to the mounted drive is infected, then all files that are stored on the network share can also be encrypted. In other words, it can turn a single infection into a network-wide infection. Third, use effective prevention tools that would prevent the malware from entering the network. Fourth, have effective response tools that would allow you to make the right decisions. For example, you should consult with your technical and legal teams to implement a practical response plan.

It’s important to know your legal rights and responsibilities when it comes to internet and technology laws. Please contact our law firm to speak with a knowledgeable internet and technology attorney at your convenience.