New law would serve as a ‘deterrent’

US legislation may criminalize possession of ransomware

A bill proposed by Maryland lawmakers to criminalize ransomware possession looks set to pass a year after a costly cyber-attack hit the state’s biggest city.

The creation and distribution of malware for criminal purposes is illegal under current US legislation, however, merely possessing malware or ransomware is not.

This new state bill, proposed by Democratic Senator Susan Lee on January 13, would criminalize ransomware ownership with intent to cause harm.

While there was initial confusion over what the proposed law would mean for security researchers, the bill appears to offer some protection to those possessing ransomware for legitimate means.

The draft bill (non-HTTPS PDF) states: “With the exception of the use of ransomware for research purposes, the bill prohibits a person from knowingly possessing ransomware with the intent to use the ransomware for the purpose of introduction into the computer, computer network, or computer system of another person without the authorization of the other person.”

Those found guilty could face up to 10 years in prison and/or a $10,000 fine in line with current extortion laws. The fine could go upwards to $25,000, depending on the damage caused by the ransomware.

“It’s not a silver bullet obviously,” Michael Lore, chief of staff for Senator Lee, told The Daily Swig.

“It’ll be a deterrent for people to buy, sell, and trade this [ransomware] online and keep it on their computers, thumb drives, cell phones, or laptops.

“If you are in possession of it [ransomware] then you could be prosecuted, and if you’re prosecuted, they can use that as leverage to find other people in your criminal network and pull the thread.”

Read the latest ransomware news and attacks

The bill comes in the wake of the huge ransomware attack that hit Baltimore in May 2019.

City systems were forced offline for almost two weeks after cybercriminals demanded 13 Bitcoin ($76,000 at the time) in return for a decryption key.

It eventually cost $18 million to resolve after Maryland policymakers refused to pay.

“In the Baltimore situation, a decision was made pretty early on not to pay the ransom,” Michael Greenberger, professor at the University of Maryland Carey School of Law and director of the University of Maryland Center for Health and Homeland Security, told The Daily Swig.

“In any case, 30% of the time the payment is made, the problem isn’t resolved.

“But most importantly, and the reason the FBI and the Conference of Mayors [US city organization] don’t want people to pay the ransom, is that it’s encouragement.

“If you pay the ransom, it’s a signal to people, ‘Oh let’s do this some more because we’ll get the money’, and they [FBI] don’t want to give an incentive of payment that will lead to more ransomware.”

The state of New York recently unveiled two bills – Senate Bill S7246 and Senate Bill S7289 – aimed at banning government institutions from paying ransoms perpetuated by cyber-attacks. It’s a proposition that Maryland is keen to copy.

“We were thinking of this, too,” Lore told The Daily Swig.

“We also think the private sector should reveal when they’ve paid the ransom because they’re actually the targets, because the private sector is much more inclined to pay a ransom to protect their brand image.”

The question remains whether a bill like this will be enough of a deterrent to halt ransomware deployments in Maryland, though state legislators believe it to be a positive step in the right direction.

Lore said: “If we start doing things like New York is proposing and perhaps making it a requirement that private companies have to disclose when they pay a ransom, we might disincentivize the use of ransomware itself, and I think that’s really important in the long term.”

RELATED Bridging the gap: US federal agencies to aid greater state-level cyber protection