California just turned ransomware into a felony as of January 1st. The new law officially lays out that utilizing the cyber-extortion tactic is illegal and carries with it a punishment of up to four years in prison. It might sound obvious that this should have been illegal already but before the law passed, officials would have had to use existing extortion statutes to prosecute ransomware criminals.
“This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware,” Sen. Bob Hertzberg said in a statement in September 2016. “Unfortunately, we’ve seen a dramatic increase in the use of ransomware. This bill treats this crime, which is essentially an electronic stickup, with the seriousness it deserves.”
The bill’s passage comes as ransomware exploded onto the world stage as one of the leading cybersecurity threats of 2016. A study by IBM estimated criminals were on pace to make nearly $1 billion in 2016. And ransomware made up nearly 40 percent of all spam e-mails sent in the year.
But as prevalent as the crime has become, the hackers themselves are notoriously hard to catch and no arrests have yet taken place domestically. California’s new law is meant to be both a symbolic gesture as well as some prep work to have the right laws on the books at the point criminals do get prosecuted.
“You buy an umbrella before it starts raining,” Prosecutor Don Hoffman told the LA Times in July. “Particularly as ransomware starts to get consumerized, the level of skills that is required to launch such a campaign will not be as high, and we certainly expect attacks to be coming from more countries and within the U.S.”
And while we wait for the day the criminals are put away in prison, there are preventative measures we can take now to avoid becoming ransomware’s next victim. Most importantly, don’t open email attachments or click on links coming from sketchy sources. Even today, victims often get attacked by opening emailed Microsoft Word docs with malicious code embedded in a macro.
— The SINCERE Project (@SINCERE_Project) November 17, 2016
And if you do find yourself the victim of an attack, the FBI asks that you report it to law enforcement. Even if they can’t help you recover your data, it will help them get a better view into the threat we’re all facing.