New California Law Finally Makes Ransomware Illegal 128
Reader Trailrunner7 writes: It was nice to see the calendar turn over to 2017, for a lot of reasons, not the least of which is that on Jan. 1 a new law went into effect in California that outlaws the use of ransomware. The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, but ransomware is a case of criminals outflanking the existing laws. Ransomware emerged in a big way a few years ago and the law enforcement community was not prepared for the explosion of infections. While there have been takedowns of ransomware gangs, they often involve charges of money laundering or other crimes, not the installation of the ransomware itself. In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion. The law went into effect on Jan. 1.
I still don't get it. (Score:5, Insightful)
Re: (Score:1)
It was... you missed the country of origin.
Re: (Score:1)
Re: (Score:1)
* California (fixing my own post)
Re:I still don't get it. (Score:5, Informative)
So, I was curious about this, and did a little digging. For reference [shouselaw.com]:
The elements of California extortion are:
The defendant threatened to do one of the following to the alleged "victim":
a. Unlawfully injure or use force against him/her, a third party, or his/her property,
b. Accuse him/her or a relative or family member of a crime, OR
c. Expose a secret involving him/her or a family member, or connect any of them with some kind of crime, disgrace, or scandal;
When making the threat or using force, the defendant intended to force the "victim" into consenting to give him/her money or property or to do an official act;
As a result of the threat, the "victim" did consent to give the defendant money or property or do an official act; AND
The "victim" then actually did give the defendant money or property or perform the official act.
So the exchange of the ransom is required to meet California's legal definition of "extortion". Naturally, most professionally run IT shops or prudent individuals will have backups and may not pay the ransom, but the damage still may be substantial simply due to lost time and productivity. This new law creates a specific exception for ransomware, making the deployment of it a crime equivalant to extorsion, regardless of whether or not a ransom payment is made. From the text of the bill itself [ca.gov]:
This bill would define ransomware as... [describes ransomware]... The bill would provide that a person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable as if that money or other consideration were actually obtained by means of the ransomware...
Given this information, it appears that unpaid ransomware attacks were NOT considered "extortion" under California law. This new law provides both a legal definition for ransomware (must have gotten some help from a competent IT person here), and closes that loophole... which, btw, seems like sort of a terrible loophole for extortion as well, but whatever.
We see further evidence of this in the first sections of the bill, which pretty much seems designed to shut down this loophole:
523. (a) Every person who, with intent to extort any money or other property from another, sends or delivers to any person any letter or other writing, whether subscribed or not, expressing or implying, or adapted to imply, any threat such as is specified in Section 519 is punishable in the same manner as if such money or property were actually obtained by means of such threat.
(b) (1) Every person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable pursuant to Section 520 in the same manner as if such money or other consideration were actually obtained by means of the ransomware.
(2) Prosecution pursuant to this subdivision does not prohibit or limit prosecution under any other law.
TLDR version: This law was needed due to the peculiarities of California's extortion laws.
Re: (Score:1)
Extortion. Racketeering. Fraud. Unauthorized access. Yadda Yadda. Etc etc.
Notice you didn't list, "ransomware."
Re: (Score:2)
He also didn't list "Ransomware programmed on a Tuesday by a man named Dave that lives in a van under a bridge."
We obviously need a new law to cover this gap.
Re: I still don't get it. (Score:4, Insightful)
Isn't it? If "ransomware" is a superset of "ransomware programmed on a Tuesday yada yada", then surely "extortion" includes "extortion via ransomware" .
Re: (Score:1)
Extortion. Racketeering. Fraud. Unauthorized access. Yadda Yadda. Etc etc.
Notice you didn't list, "ransomware."
Ransomware is a buzzword. There are a variety of laws on the books which already make it illegal to write it, illegal to distribute it, illegal to fuck with someone's data using it, illegal to demand money to unlock the data, etc.
The REAL reason California is passing this redundant law is not to make it "more" illegal or even specifically illegal. They're doing it because if California has a law against an activity, it gives them a certain level of Jurisdiction at a State level which they may not have had p
Re: (Score:2)
Probably because ransomware is a form of extortion.
Re: (Score:2)
IANAL, but yeah. Installing software on my PC without permission should already be trespass or vandalism; encrypting my files and demanding money for the key should already meet the definition of extortion or blackmail. I guess the fact that these assumptions are apparently false just shows how non-intuitive the law is.
Re: (Score:2)
It's all already covered under the ridiculous CFAA.
Re: (Score:2)
How was it NOT extortion before the law?
Moot.
We're eliminating extortion, money laundering, loss of income for righting the ship ...
To paraphrase TFS and TFA, "It's illegal to load ransomware on a computer."
The mere existence of the ransomware is evidence of a crime, in and of itself, and extortion, money laundering, loss of income for righting the ship are collateral issues.
Re: (Score:1)
Is it illegal to load ransomware on my own computer?
Is this more illegal than installing something that will encrypt all the files without offering to decrypt them for money?
Re: (Score:2)
Re: (Score:2)
How was it NOT extortion before the law?
See for example this definition of extortion: http://legal-dictionary.thefre... [thefreedictionary.com]
If you read the definition carefully, you will find that ransomware doesn't actually fall under this definition.
Re: (Score:2)
Only under strict-common law. If you read further down:
Re: (Score:2)
That definition says "who takes money or property", implying that the threat by itself is likely to not count as extortion unless it's successful. I'd rather have "give me $1000 or I break your arms" count as extortion whether I hand the money over or not. Specifically, I'd like the installation and activation of ramsomware to count as extortion.
Re: (Score:2)
(Emphasis mine.)
Seems to fit nicely under fear. I'm afraid that if I don't pay you then I'll never get my files back.
Re: (Score:3)
Because the other categories (money laundering, extortion) only applied when the files had been encrypted and a demand made. If the ransomware is loaded onto a computer system, but not activated, there's no crime committed using these categories.
Just the act of loading software onto a PC is now enough evidence for a crime to be considered committed.
Re: (Score:2)
I haven't found the text of the law to read, but I can guess.
I used to work for a place where, in the late 1980s and early 1990s we would occasionally sell ransomware to clients who had iffy credit. Pay your bill every month, and we'd send you an update to our software. Stop paying or don't install your update, and a time bomb would go off: it fails to start. The software's data wasn't encrypted or anything, but it was in a proprietary undocumented form, so it was eff
Re:I still don't get it. (Score:5, Funny)
How was it NOT extortion before the law?
Because this is extortion...on the Internet.
Re: (Score:2)
How was it NOT extortion before the law?
Yeah, no kidding
Re:Good (Score:4, Funny)
To restore this computer to a usable state
please send 3 bitcoin to Microsoft.
Outflanked the law? (Score:5, Insightful)
So.. do we really need another law? For something that is largely coming from out of the country and is unlikely to result in a prosecution except MAYBE at the federal level?
Re: (Score:1)
Yes, we need another useless law that will not have anyone convicted any time soon, just so stupid legislators can say "See, we are protecting you!"
Right up there with Assault Rifle bans because ... "SCARY LOOKING!!!!!"
Re: (Score:1)
flawed laws...
Re: (Score:2)
I imagine installing and running software without permission is already illegal, as is unauthorized use of a system and destruction of data. Not to mention fraud.
Isn't that what the FBI, CIA and NSA do every day? Without warrants, or judges' approval . . . ?
Re: (Score:3)
Re:Outflanked the law? (Score:5, Informative)
... installing and running software without permission is already illegal ...
Permission was granted when the user voluntarily opened a malicious attachment or navigated to a nefarious web site.
I'm retired from IT and I was often pulled into management's office to answer the question, "Why did our system not stop this?"
I answered that the "system" was granted permission by the operator, who, BTW, has attended six (6) seminars this year alone that explains users aren't allowed to use computers for personal use, so why are they panic-clicking on an attachment that their "UPS package will not be delivered until you click on this link ..." AND the fucking Firm has a contract with FEDEX for that shit anyway.
Re:Outflanked the law? (Score:4, Insightful)
Re: (Score:2)
Bullshit.
I have all kinds of shit in place that says, "DO NOT OPEN THIS ATTACHMENT and the goddam user still opens it.
We're a law firm and the stock answer is, "Your guy overrode your own fucking system and ASKED for the payload."
So, no ...
Re: (Score:2)
I think you may be ignoring the legal definition of permission. For example, using login credentials that the ex-employee knew should not be used to log into a company system certainly has technical permission from the system, but I believe it's been found illegal under the CFAA.
Re: (Score:2)
Try oranges next time.
Re: (Score:2)
Permission was granted when the user voluntarily opened a malicious attachment or navigated to a nefarious web site.
This was modded "Informative"? You are a loon.
I answered that the "system" was granted permission by the operator,
So if I ask you if I can borrow your lawnmower, but instead take your car out of your garage and run it into a tree, you're ok with that because you gave me permission to take something out of your garage and you really didn't care what it was? Or a user who agreed to allow a website to install "File Compressor Pro" actually agreed to let them install ransomware instead because they agreed to allow the site to install something, it doesn't matter what?
It matte
Re: (Score:2)
TL;DR
It appears, from a distance, and with a quick scan, that you are intelligent and may one day make use of that attribute, but not today.
Re: (Score:2)
Re: (Score:1)
Sometimes, if you're in the USA.
A few months ago my wife was on jury duty, where a guy was suspected of (actually, he took the stand(!) and incriminated himself) kidnapping a junkie and making her work as a prostitute, with occasional beatings and threats.
Those are all illegal things in my state.
Just one problem: this was federal court. So what he was actually charged with, was some totally absurd made-up nonsense lie about "interstate commerce." The guy was not engaging i
Re: (Score:2)
I think they wanted installing and activating ransomware to count as extortion, which it didn't.
Thank god (Score:3, Funny)
This will certainly stop them, I mean I am sure they were just waiting for a law to make it illegal then they'll stop
Re: Thank god (Score:1)
It will only stop the law abiding criminals.
CFAA (Score:1)
I mean, we use the CFAA for damn near everything? Why not this, where it actually seems to apply?
Re: (Score:1)
Re: (Score:2)
I mean, we use the CFAA for damn near everything? Why not this, where it actually seems to apply?
OK, an explanation could be found here on LA Times [latimes.com]. You could also read below quote (from the given link) for the specific part of the answer.
At the federal level, prosecutors can use the Computer Fraud and Abuse Act to target ransomware. But state prosecutors typically must pursue such cases under laws against extortion, or those that target threats to injure a person or property that have not been acted upon.
That doesn"t quite fit computer crime, Hoffman said.
"With ransomware, the threat has already been carried out," he said. "The data has already been encrypted; it has already been compromised. It"s more like data kidnapping."
At least one other state, Wyoming, has outlawed ransomware.
Re: (Score:2)
The CFAA can be used to threaten someone with 35 years for violating a TOS in a way that is not actually a crime under any other law. But it isn't good enough to cover Ransomeware?
Re: (Score:2)
Wonderful. Glad that won't we an issue anymore (Score:4, Insightful)
If it were only so simple... This does nothing to actually prevent ransomware.
At least the good people of California can cite a specific law instead of the broader extortion laws when they are victimized. I really think there is no point to this law. It has no means to solve the ransomware issue, it simply makes a specific case out of something that was already illegal.
Re: (Score:3)
It does do something ... It allows stupid legislators to say they did something. Remember the following logic is all that is needed.
We must do something!
This is something!
Therefore we must do it!!!!!!!
Implied is, "Anyone that opposes this is an evil hater who wants to kill you and eat kittens"
Re: (Score:1)
how eat cows/pigs is better than eat kittens?
Re: (Score:2)
how eat cows/pigs is better than eat kittens?
Pro: cow/pig bigger than kitten, therefore don't need eat two kitten for dinner, just one cow.
Con: cow/pig less tender, need tenderizer. Kitten yummy. Like veal. Cat, ick, old and tough.
Pro: cow/pig available at local store. Must hunt kitten. Here kitty kitty... Hello Kitty!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
For example it wouldn't be money laundering if somebody paid taxes on the income!
And it wouldn't be ransomware without extortion.
Why are we against criminalizing such bad behavior directly.
Because criminalizing every variant of everything we want to prohibit leads to massive volumes of criminal law, and the expectation that something that isn't specified exactly by name isn't a crime at all. You really don't want to have to wait for the legislators to catch up with a specific law regarding "some existing crime DONE ON A COMPUTER" just because it wasn't specified that way explicitly in the current law. I point to the parallel between this and pat
Re: (Score:2)
Thanks California (Score:2, Funny)
I can finally uninstall that pesky antivirus.
Yawn (Score:2)
It was legal before? (Score:4, Interesting)
You mean up until now I could have had my own money making machine? Oh well, missed that boat...
Re: (Score:2)
There are 49 other states in the US....
Re: (Score:2)
Yes, but electricity hasn't been discovered yet in 25 of them.
Re: (Score:2)
Re: (Score:2)
More Magical Thinking from California (Score:2)
This is one of the more absurd examples of magical thinking I have seen in a while. Why do they think this will have any impact at all?
Most of the groups that spread the malware are based overseas. Most of them use bitcoin to collect payments so there's not even a money trail. Just what is this measure supposed to do to help anyone?
Re: (Score:2)
Re: (Score:2)
Seriously, what do you fucktards whining about this do about murder laws? They don't stop homicides either,
Yes, they do, because someone knows if they murder someone, then they probably will be found, and sent to jail. The "murder laws" stop a lot of very real murders.
By contrast, the laws against ransomeware are worthless because the targets are as I said (A) not anywhere near where California law can impact them, and (B) really not trackable so you can't even find out who to sue or arrest.
Re: (Score:2)
The law may be useful for extradition. If bad guy A is working in country B, and is identified, it may be easier to file an extradition request for a charge of extortion than computer misuse.
If I, in the US, hack into somebody else's computer using an untraceable route, should I still be considered in violation of the CFAA?
Re: (Score:2)
So what you're saying is that laws do work.
Of course SOME laws work.
You appear to be saying that ALL laws work.
Like drug laws...
Bang up argument there, Skippy.
Then your problem is not with the laws,
Yes it is with laws that do not, and cannot work.
but with California not simply sending armed posses to hunt down criminals who harm their citizens.
That would be fine but who would they hunt? That't my point, you simply cannot track down these malware people.
finally (Score:1)
That'll stop those rusky hackers!
Obvious question (Score:2, Funny)
so, all hacking = illegal/bad? (Score:1)
ransomware absolutely sucks.
That being said, the statement "The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, " seems a bit loaded. I'm not sure if all hacking should automatically be assumed to be illegal. Would this even be hacking or are we to assume 'everything nefarious done via computer is hacking'.
Re: (Score:1)
I'm sure: the answer is NO
Known to ... (Score:2)
Re: (Score:2)
Legislation over IT is generally stupid... (Score:1)
Funding for awareness drives? (Score:2)
Calendar (Score:3)
It was nice to see the calendar turn over to 2017
You were getting tired of Miss December too?
Re: (Score:2)
... January, you start the year of fine.
February, you're my little valentine...
Oooh scary (Score:2)
Yeah I'm sure this will scare the pants off some guy in his bedroom in Romania or Chelyabinsk.
He'll probably give up his evil ways, go straight, and get a day job at the local Burger King, AMIRITE?
If they wanted to make a difference.... (Score:2)
Re: (Score:2)
So, what you're saying is that people who want to pay the ransom should avoid letting any law enforcement agency know they've got the ransomware? Wouldn't you rather encourage the reporting of ransomware?
Re: (Score:2)
Re: (Score:2)
Some people want their files back, and will want to pay. If they know that they'll be criminally charged if news gets out, they will be sure not to tell anyone, and we'll never know how much is going on, and we'll miss out on data that might be useful in tracing it. Bad guys started using ransomware without knowing what the profit would be. The ones who know that it can make money will continue to do it, and new entrants into the field won't know whether or not it works. I think we're better off encour
Re: (Score:2)
The best part is the bounties (Score:1)
I mean, seriously, 10 percent of the ransom amount?
Take down a cyber ring and you can retire in Sumatra forever!
"outlaws the use of ransomware" (Score:3)
Problem solved. (Score:2)
The actual solution (Score:2)
Re: (Score:2)
Or, more likely, it would guarantee that the victim, who thinks a "backup" is something their plumber fixes but can't bear to lose those cute pictures of the sister's dog, won't ever report the crime.
Re: (Score:1)
Think it through further, making paying illegal would cause an explosion in ransomware as now all those authors will be able to successfully blackmail the payers into more criminal activities. Just like drug use and prostitution, when one party can't get help the other party successfully pushes further and further.
Laws for Outlaws (Score:2)
Since when did outlaws start obeying the law?
There are already plenty of laws governing this.
No need to make a new law and clutter up the books.
Bah, hum-bug.
Re: (Score:2)
Are you seriously arguing that laws that outlaws don't obey shouldn't be on the books?
Re: (Score:2)
Try reading my whole comment next time.
Jurisdiction (Score:2)
Californian law applies in California, most malware is from Asia or Eastern Europe. I do not see how this law will affect anything.