A law condemning ransomware users has been proposed in a US state legislature. The bill will allow both civil and criminal penalties to be brought against those involved in ransomware attacks. Offenders could be given up to 10 years in prison, a US$10,000 (£8000) fine and be liable for civil damages.
Under Maryland law, crimes involving ransomware would normally comes under extortion statutes, the punishments for which can range anywhere between 18 months for minor offences and 25 years in prison for felonies. That distinction could be erased if this new bill is passed.
The bill is sponsored by state senator Susan Lee, a Democrat who represents Montgomery County and has sat on the Maryland legislature's Joint Committee on Cyber-security, Information Technology and Biotechnology and the Maryland Cyber-security Council since 2015.
About time, Graham Mann, managing director of Encode Group UK told SC Media UK: “Legislative bodies have been lax in addressing specific types of cyber-attacks, preferring to rely on laws designed for transgressions from previous eras.
“Using existing legal frameworks is not appropriate for the 21st Century, they don't properly describe the attacks and certainly don't provide sufficient penalties. The issue, however, is that cyber-attacks are a global phenomenon and it will be difficult for individual countries to prosecute offenders.”
Medstar, a Maryland healthcare provider came under a ransomware attack last year, forcing several hospitals in the area to shutdown their computer networks. At the time Lee called it “a wake up call”.
Hospitals especially, seem like a popular target for ransomware attackers. These kinds of attacks have not just been seen in the US, but the UK too. A series of incidents and freedom of information disclosures have revealed the NHS as an attractive target.
Brian Chappell, director of technical services EMEAI & APAC at BeyondTrust told SC that this new bill has likely more to do with drawing attention to the issue, than policing it: “If someone believes they can complete the transaction anonymously is a new law in Maryland going to dissuade them? Probably not. We still need to assume that someone will attack in this way and take the necessary steps to limit the impact.”