A new Maryland ransomware bill has been introduced that makes extortion using unauthorized software a criminal offense. The new Maryland ransomware bill introduces stiff penalties for ransomware attacks on companies based in the state as well as attacks on individuals. Cybercriminals that use ransomware to try to extort money from victims would be fined up to $10,000 for the attack and could face up to 10 years in jail.
While the Maryland ransomware bill – HB 340 – may be enough to discourage home-grown attacks, it is likely to do little to deter foreign cybercriminals. Since the majority of ransomware attacks are launched from outside the United States, state residents should not let down their guard. The bill points this out quite clearly saying “Because the perpetrators are often based overseas, there is very little local and federal law enforcement can do, especially within the narrow window of time in which victims must pay a ransom.”
Currently, ransomware attacks are a crime in Maryland. They are covered under existing extortion statutes. However, if the attacks result in amounts of less than $1,000 being extorted, the offense is classed as a misdemeanour. Attacks that result in larger amounts being obtained by the attackers would be penalized more severely, with up to $25,000 in fines and a maximum of 25 years in prison.
The new Maryland ransomware bill was initially intended to include a provision covering ransomware authors, although it was not included in the final bill. The bill, which was sponsored by Sen. Susan Lee, D-Montgomery, would also allow victims of ransomware attacks recourse to claim damages for attacks.
However, the bill is short on details, which would leave it up to prosecutors and judges to determine the penalties for attacks. For example, if a ransomware campaign resulted in 10 computers being infected, it is unclear whether that would be a single count or ten.
When the bill is passed into state law, there would naturally be a cost associated with incarcerating individuals found to have conducted attacks, although it is thought the increase in cost would be “minimal.”
Ransomware attacks in Maryland have increased over the past 12 months, as they have across the United States, but one major attack in particular grabbed the news headlines. MedStar Health was crippled by a massive ransomware attack last year which resulted in the hospital network’s systems being taken offline for a number of days while the infection was resolved.
In that case, current laws in Maryland covering extortion would have classed that incident as a misdemeanor since no ransom was paid, even though the cost of resolving the infection was considerable and there was an impact on patients. Emergency services had to be diverted to other facilities as a result of the attack and staff were unable to gain access to their EHR, email, or even switch on their computers.
The Maryland ransomware bill would ensure that attacks such as that on MedStar Health would see criminals brought to justice.