Ransomware is a form of malicious software (malware) that encrypts files on a device and demands payment from the user in order to decrypt and restore access to the files. Ransomware attacks have been rapidly increasing in recent years, impacting individuals, businesses, hospitals, and government agencies around the world. But is ransomware actually a cybercrime from a legal perspective?
What is ransomware?
Ransomware is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. It encrypts files on the infected device and essentially locks all the information on the computer, making it inaccessible to the rightful owner.
The two main types of ransomware are:
- Locker ransomware – This locks the victim out of the infected device or computer.
- Crypto ransomware – This encrypts files, making them inaccessible until the ransom is paid.
Ransomware is typically spread through phishing emails, infected software apps, infected external storage devices, and compromised websites. Once the malware installs itself on the system, it encrypts the files and displays a ransom payment demand.
The ransom demand often asks for payment in cryptocurrency, such as Bitcoin, to avoid tracing of funds. The ransom amounts can range from several hundreds to thousands of dollars. Even after paying the ransom, there is no guarantee that the files will be restored.
Ransomware attacks around the world
Ransomware attacks have rapidly grown in scale and frequency in the past decade. Here are some major ransomware incidents from around the world:
WannaCry ransomware attack
- Date: May 2017
- Impact: Infected over 230,000 computers across 150 countries
- Notable targets: UK’s National Health Service, Spanish telecom firm Telefonica, German state railways
NotPetya ransomware attack
- Date: June 2017
- Impact: Caused over $10 billion in damages globally
- Notable targets: Shipping company Maersk, pharmaceutical company Merck, FedEx’s European subsidiary TNT Express
- Date: Active since 2015
- Impact: Attacked230 victims and extorted over $6 million in ransom
- Notable targets: City of Atlanta, Hancock Health medical system, LabCorp diagnostics
Ryuk ransomware attack
- Date: 2018 – present
- Impact: Earned over $150 million in ransom payments
- Notable targets: Electronics manufacturer LG, newspapers Tribune Publishing and ProPublica
These incidents highlight how ransomware has become a multimillion dollar criminal industry impacting organizations globally.
Are ransomware attacks illegal?
Ransomware attacks involve unauthorized access and modification of data on someone else’s computer. This raises the question – are ransomware attacks illegal from a legal standpoint?
There are several laws in different countries that potentially make ransomware crimes:
Computer Fraud and Abuse Act
In the United States, distributing ransomware is prosecutable under the Computer Fraud and Abuse Act (CFAA). CFAA prohibits accessing a computer without authorization and knowingly transmitting malware.
Wire fraud statutes
The wire fraud statutes prohibit schemes to defraud or obtain money on false pretenses using electronic communications. Ransomware attacks typically involve wire fraud when ransoms are paid.
Demanding ransom payments is legally considered extortion in many jurisdictions. Threatening to damage, destroy or restrict access to data may violate extortion laws.
Some countries restrict the use of encryption. Distributing encryption ransomware may be illegal in such countries.
Money laundering laws
Money paid as ransom can be considered proceeds of crime. Laundering these funds may violate anti-money laundering laws.
Notable arrests and prosecutions
There have been some recent arrests and prosecutions of cybercriminals involved in high-profile ransomware attacks:
WannaCry ransomware creators
- In 2021, the US Department of Justice charged 3 North Korean military hackers who created the WannaCry ransomware.
- They are wanted criminals charged with conspiracy to commit wire fraud and conspiracy to commit money laundering.
REvil ransomware gang
- In November 2021, Ukrainian authorities arrested members of the REvil ransomware gang.
- REvil was behind major ransomware attacks on JBS Foods and software company Kaseya.
SamSam ransomware operators
- In 2018, the US Department of Justice charged two Iranian men behind the SamSam ransomware attacks.
- They were charged with conspiracy to commit wire fraud, conspiracy to commit fraud, and intentional damage to a protected computer.
These prosecutions indicate that law enforcement agencies are ramping up efforts to crack down on ransomware gangs.
Are ransom payments legal?
What about paying the ransom – is that legal? This issue is complex:
- Paying ransom could potentially violate anti-money laundering laws or restrictions on financing terrorism in some countries.
- However, currently there are no laws in the US or most other countries prohibiting ransom payments.
- Some cyber insurance policies may cover ransom payments.
- US Treasury has provided guidance permitting ransom payments in certain situations.
- But paying ransoms encourages and funds further cybercrime according to law enforcement agencies like the FBI.
So ransom payments are not strictly illegal at this time, but there are arguments against paying as it fuels the ransomware business.
Damages and civil lawsuits
While few ransomware attacks lead to criminal charges, there are often civil lawsuits seeking damages:
- Cyber insurer AXA sued a French hospital group for $11 million after it paid ransom to cybercriminals without contacting AXA.
- In 2021, Florida-based software supplier Kaseya obtained a restraining order to prevent victims of a REvil ransomware attack from paying ransoms.
- Many more lawsuits have been filed by victims against cyber insurers over recovery of ransomware damages and costs.
So even if not specifically illegal, ransomware attacks can lead to significant civil lawsuits and damages.
Should ransomware be more explicitly outlawed?
Some experts argue that laws should more unambiguously outlaw cyber ransom schemes to deter attacks:
- Specific criminal statutes explicitly prohibiting ransomware could clarify that it is a serious crime.
- Regulations prohibiting ransom payments may reduce incentives for cybercriminals.
- International cooperation is needed as many gangs operate across borders.
However, the complexity of attribution and tracing criminals behind ransomware makes enforcement difficult. Outright bans may also remove incentives for ransomware operators to actually restore victims’ data.
Ransomware attacks involve extortion by restricting access to or threatening to destroy data. But the legality is complex:
- Distributing ransomware can violate computer intrusion and wire fraud laws.
- Paying ransoms so far does not violate any laws, though it is controversial.
- Ransomware operators are difficult to prosecute given challenges tracing cryptocurrency payments.
- Civil lawsuits help recover damages but don’t fully deter ransomware activity.
- Stricter laws specifically targeting ransomware operations may help, but also raise concerns.
Overall, ransomware sits in a gray area – clearly unethical, but not always unambiguously illegal. Lawmakers and enforcement agencies continue to grapple with outlawing this rising cyber threat. Organizations must implement strong security measures to prevent, detect, and respond to ransomware attacks. But the complex legal landscape allows many ransomware gangs to operate with impunity for now.