State legislation to outlaw ransomware is drawing broad support from tech leaders and lawmakers, spurred by an uptick in that type of cybercrime and a series of recent attacks on hospitals in Southern California.
The bill, authored by state Sen. Bob Hertzberg (D-Van Nuys), would update the state’s penal code, making it a felony to knowingly use ransomware, a type of malware or intrusive software that is injected into a computer or network and allows a hacker to hold data hostage until money is paid.
Ransomware has become a lucrative industry over the last three years, affecting schools, police departments and healthcare businesses. Trojans that work like viruses, such as CryptoLocker — which began appearing in 2013 — can be unleashed by users with few technical skills and reel in profits.
“We are at a point where the amount of money being made is so high, other (bad) actors will keep coming,” said Craig Williams, a threat researcher for Talos, part of the cybersecurity company Cisco Systems.
Proponents say the proposed ransomware law is the right step to counter attacks difficult to prosecute under existing statutes that are not tailored to combat computer crime. But some question just who will get caught in the dragnet, as such incidents are tough to trace and culprits are often overseas.
But no arrests were made. Nor were arrests made in more than half a dozen of ransomware incidents investigated by the Cyber Investigation Response Team of the Los Angeles County district attorney’s office, which is a co-sponsor of the bill.
Prosecutor Don Hoffman, head of the division, said authorities were not able to prove who was responsible. He supports the proposed law.
“You buy an umbrella before it starts raining,” Hoffman said. “Particularly as ransomware starts to get consumerized, the level of skills that is required to launch such a campaign will not be as high, and we certainly expect attacks to be coming from more countries and within the U.S.”
Ransomware attacks are instigated when a person clicks on a compromised website or opens an infected email. The programs encrypt files, such as photographs, videos or documents, and they cannot be accessed without an encryption key.
Security researchers first saw similar attacks in 1989, when the so-called AIDS Trojan virus locked people out of their files if they clicked through a quiz about their sexual and drug habits. Ransomware has evolved over the last decade with the creation of “police screen lockers,” pop-up screens that appear to be created by law enforcement agencies that fraudulently order people to pay fines after accusing them of downloading pirated movies or child pornography.
At the federal level, prosecutors can use the Computer Fraud and Abuse Act to target ransomware. But state prosecutors typically must pursue such cases under laws against extortion, or those that target threats to injure a person or property that have not been acted upon.
That doesn’t quite fit computer crime, Hoffman said.
“With ransomware, the threat has already been carried out,” he said. “The data has already been encrypted; it has already been compromised. It’s more like data kidnapping.”
At least one other state, Wyoming, has outlawed ransomware.
Supporters said such a law in California would encourage more law enforcement agencies to pursue ransomware investigations and make extraditions of offenders more likely.
Lawmakers pointed to the need to modernize laws in the wake of rising attacks. Hertzberg’s own website was compromised a day after his bill cleared the Senate in May with a 39-0 vote.
But the most notorious incidents have involved hospitals in Southern California. The Hollywood Presbyterian Medical Center became a target Feb. 5.
In April, Steve Giles, chief information officer for the hospital, told the state Senate Public Safety Committee that nearly all of its systems were shut down.
“This created panic within the nursing and the physician staff,” he said.
To pay the ransom, Giles said, hospital staff had to take $17,000 to a nearby ATM to have the cash converted into bitcoins, a digital form of currency.
Under the proposed legislation, the punishment for such a crime could be up to four years in prison and a $10,000 fine.
So far, the bill has faced no opposition in the Assembly, and must be sent to Gov. Jerry Brown’s desk by the time the Legislature adjourns at the end of August.
“Having the signal sent to the criminals, we feel, is at least a step in the right direction,” said Andrea Deveau, executive director of California and the Southwest U.S. region of TechNet, which co-sponsored the legislation. “It would go far in letting these perpetrators know that the state is taking it very seriously.”
But security researchers said the cases would be difficult for any one law enforcement agency to pursue — attacks can be launched from servers spread across multiple countries.
“If this legislation gives prosecutors the tools that they didn’t have before, where are the cases that they have lost because they didn’t have these tools?” said Brandon Perry, a senior consultant for NTT Com Security. “Authorities are focused on prosecuting criminals that they can’t even find, as opposed to educating the victims to prevent this from happening again and again.”
Follow @jazmineulloa on Twitter