[BreachExchange] Legislation Would Stiffen Penalties for Ransomware Attacks

[Destry Winant]

https://www.usnews.com/news/best-states/maryland/articles/2019-02-13/legislation-would-stiffen-penalties-for-ransomware-attacks

Using ransomware to hold computers hostage would draw stiffer
penalties under legislation — prompted in part by attacks on Maryland
hospitals over the past few years — state lawmakers are considering.

The legislation, which would enforce tougher penalties for those
convicted of ransomware crimes, was spurred by attacks like those on
the University of Maryland Medical System in 2018 and on the Salisbury
Police Department in January.

Hospitals and health care centers remain one of the most vulnerable
industries to ransomware attacks, which could lead to disruptions of
critical information systems, loss of data and even patient
fatalities.

Maryland Senate bill 151, cross-filed with House bill 211, would
define ransomware attacks that result in a loss greater than $1,000 as
a felony, subject to a fine of up to $100,000 and a maximum sentence
of 10 years in prison.

Under current Maryland laws, a ransomware attack that extorts a loss
less than $10,000 is considered a misdemeanor, while a breach that
results in a loss greater than $10,000 is a felony.

Ransomware is a specific malware software that allows hackers to seize
control of and access to computers and the data stored within those
devices.

The attackers then refuse to release control of the devices and
information until a ransom is paid.

Unpaid demands can create further problems for the victims: The ransom
can increase or the hackers can permanently delete the data, according
to a state analysis.

"Even when (victims) do pay the ransom there is not necessarily a
guarantee that they will receive the data back," Markus Rauschecker,
the cybersecurity program manager for the University of Maryland
Center for Health and Homeland Security, said during a bill hearing
Jan. 31.

The bill will also introduce a new criminal offense, which prohibits
violators from simply possessing ransomware with the intent to use it,
with an exception for researchers, according to a state analysis.

The new legislation would authorize courts to award damages and cover
attorney fees and costs for the victims of an attack, according to a
state analysis.

"No industry is safe from ransomware, most importantly our hospitals,"
bill sponsor Sen. Susan Lee, D-Montgomery, said.

Ransomware attacks on hospitals are a continuing problem across the
country and often create major problems for the facilities, including
loss of lives, misdiagnoses and other technological disadvantages for
doctors and patients, Lee told Capital News Service.

In 2018, the University of Maryland Medical System's information
technology infrastructure was victim to an attempted malware
infiltration.

The medical system was able to subdue the attack by implementing
backup servers to ensure patient care was uninterrupted, according to
a press statement.

"The most frightening part about (ransomware attacks) is that
hospitals and health care sectors are especially vulnerable,"
Rauschecker said. "This can ultimately mean deaths in hospitals."

Attacks can have serious consequences due to a lack of access to
electronic data or medical devices available to doctors and staff
during a breach, Rauschecker said.

A 2017 Vanderbilt University research paper estimated that more than
2,000 deaths per year could be attributed to ransomware attacks on
hospitals.

In 2016, Maryland's MedStar Health system was subject to a ransomware
attack that also targeted government agencies, cities and businesses
around the nation. The hackers were able to get around $6 million and
caused their victims to lose more than $30 million, according to a
state analysis.

Rauschecker said that ransomware attacks are one of the "fast growing"
areas within cyber crime.

SonicWall, a cyber-crime security company, reported about 181.5
million ransomware

attacks in the first six months of 2018 — more than doubled over the
same time period in 2017, but a marked decrease from the rate of
attacks in 2016.

"This bill passing will be the start of raising the concern of
(ransomware attacks) and how big this problem is," Maryland State's
Attorneys' coordinator Steve Kroll said during the bill hearing.

In January, the Salisbury Police Department suffered a ransomware
attack that affected their computer systems, including email and
network servers, as well as its record management systems, Capt. Rich
Kaiser said.

Kaiser emphasized that while the department had no access to data
during the attack, there is no evidence of police department data
being stolen due to an "intricate file backup system."

Kevin Kornegay, a professor in the school of electrical and computer
engineering at Morgan State University, theorizes that while cyber
breaches are targeting big corporations, ransomware attacks remain a
"massive threat to small (and) mid-sized businesses," which in many
instances often go unreported.

This is because ransomware attacks have commonly been found in
"phishing emails" and websites with clickbait — often the attacks are
minor — and small businesses tend not to report them, according to
Kornegay.