‘Knowingly possessing’ file-encrypting malware now comes with a three-year prison sentence

Michigan Governor Rick Snyder last week signed new legislation outlining specific penalties for cybercrimes involving ransomware.

House Bills 5257 and 5258, which have been sponsored by State Representatives Brandt Iden and James Lower, respectively, prohibit and prescribe a felony penalty of up to three years imprisonment for “knowingly possessing ransomware with the intent to introduce it into a computer or computer network without authorization”.

“Cybercrime and tough measures to combat it is a rapidly evolving effort, and it’s integral our law enforcement agencies have the tools to identify, prevent and penalize it,” said Governor Snyder.

Bill 5247 outlines the technicalities of the new law, while Bill 5258 amends Michigan’s Code of Criminal Procedure by adding sentencing guidelines for ransomware-related offenses.

“Under the bill, ransomware would mean a computer or data contaminant, encryption, or
lock that has the ability to be placed or introduced without authorization and that restricts access by an authorized person into a computer, system, or network,” reads the House Fiscal Agency’s legislative analysis.

Last year, Michigan-based healthcare supplier Airway Oxygen announced it had been hit by a ransomware attack. A subsequent investigation revealed that intruders had access to the information of approximately 550,000 patients.