Slashdot Mirror

← Back to Stories (view on slashdot.org)

New California Law Finally Makes Ransomware Illegal

Posted by msmash on from the enough-already dept.

Reader Trailrunner7 writes: It was nice to see the calendar turn over to 2017, for a lot of reasons, not the least of which is that on Jan. 1 a new law went into effect in California that outlaws the use of ransomware. The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, but ransomware is a case of criminals outflanking the existing laws. Ransomware emerged in a big way a few years ago and the law enforcement community was not prepared for the explosion of infections. While there have been takedowns of ransomware gangs, they often involve charges of money laundering or other crimes, not the installation of the ransomware itself. In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion. The law went into effect on Jan. 1.

18 of 128 comments (clear)

  1. I still don't get it. by gfxguy · · Score: 4, Insightful

    How was it NOT extortion before the law?

    --
    Stupid sexy Flanders.
    1. Re: I still don't get it. by Wulf2k · · Score: 2

      He also didn't list "Ransomware programmed on a Tuesday by a man named Dave that lives in a van under a bridge."

      We obviously need a new law to cover this gap.

    2. Re: I still don't get it. by bondsbw · · Score: 3, Insightful

      Isn't it? If "ransomware" is a superset of "ransomware programmed on a Tuesday yada yada", then surely "extortion" includes "extortion via ransomware" .

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    3. Re:I still don't get it. by mikael · · Score: 2

      Because the other categories (money laundering, extortion) only applied when the files had been encrypted and a demand made. If the ransomware is loaded onto a computer system, but not activated, there's no crime committed using these categories.

      Just the act of loading software onto a PC is now enough evidence for a crime to be considered committed.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    4. Re:I still don't get it. by Voyager529 · · Score: 4, Funny

      How was it NOT extortion before the law?

      Because this is extortion...on the Internet.

    5. Re:I still don't get it. by Dutch+Gun · · Score: 4, Informative

      So, I was curious about this, and did a little digging. For reference:

      The elements of California extortion are:

              The defendant threatened to do one of the following to the alleged "victim":

                      a. Unlawfully injure or use force against him/her, a third party, or his/her property,
                      b. Accuse him/her or a relative or family member of a crime, OR
                      c. Expose a secret involving him/her or a family member, or connect any of them with some kind of crime, disgrace, or scandal;

              When making the threat or using force, the defendant intended to force the "victim" into consenting to give him/her money or property or to do an official act;
              As a result of the threat, the "victim" did consent to give the defendant money or property or do an official act; AND
              The "victim" then actually did give the defendant money or property or perform the official act.

      So the exchange of the ransom is required to meet California's legal definition of "extortion". Naturally, most professionally run IT shops or prudent individuals will have backups and may not pay the ransom, but the damage still may be substantial simply due to lost time and productivity. This new law creates a specific exception for ransomware, making the deployment of it a crime equivalant to extorsion, regardless of whether or not a ransom payment is made. From the text of the bill itself:

      This bill would define ransomware as... [describes ransomware]... The bill would provide that a person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable as if that money or other consideration were actually obtained by means of the ransomware...

      Given this information, it appears that unpaid ransomware attacks were NOT considered "extortion" under California law. This new law provides both a legal definition for ransomware (must have gotten some help from a competent IT person here), and closes that loophole... which, btw, seems like sort of a terrible loophole for extortion as well, but whatever.

      We see further evidence of this in the first sections of the bill, which pretty much seems designed to shut down this loophole:

      523. (a) Every person who, with intent to extort any money or other property from another, sends or delivers to any person any letter or other writing, whether subscribed or not, expressing or implying, or adapted to imply, any threat such as is specified in Section 519 is punishable in the same manner as if such money or property were actually obtained by means of such threat.
      (b) (1) Every person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable pursuant to Section 520 in the same manner as if such money or other consideration were actually obtained by means of the ransomware.
      (2) Prosecution pursuant to this subdivision does not prohibit or limit prosecution under any other law.

      TLDR version: This law was needed due to the peculiarities of California's extortion laws.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  2. Outflanked the law? by wbr1 · · Score: 4, Insightful
    I do not know california code, but I imagine installing and running software without permission is already illegal, as is unauthorized use of a system and destruction of data. Not to mention fraud.

    So.. do we really need another law? For something that is largely coming from out of the country and is unlikely to result in a prosecution except MAYBE at the federal level?

    --
    Silence is a state of mime.
    1. Re:Outflanked the law? by CaptainDork · · Score: 4, Informative

      ... installing and running software without permission is already illegal ...

      Permission was granted when the user voluntarily opened a malicious attachment or navigated to a nefarious web site.

      I'm retired from IT and I was often pulled into management's office to answer the question, "Why did our system not stop this?"

      I answered that the "system" was granted permission by the operator, who, BTW, has attended six (6) seminars this year alone that explains users aren't allowed to use computers for personal use, so why are they panic-clicking on an attachment that their "UPS package will not be delivered until you click on this link ..." AND the fucking Firm has a contract with FEDEX for that shit anyway.

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re:Outflanked the law? by wbr1 · · Score: 3, Insightful

      Software installed through deception is NOT installed with permission. This is computer fraud 101. Sure the operation can bypass system restrictions at any time, but actual permission lies with the user or owner, and software installed through fraudulent means such as deception, zero-days etc is still illegal should not be considered as having been granted owner/operator permission.

      --
      Silence is a state of mime.
    3. Re:Outflanked the law? by wbr1 · · Score: 2

      But...but...but they're the good guys... /sarcasm

      --
      Silence is a state of mime.
  3. Thank god by Anonymous Coward · · Score: 3, Funny

    This will certainly stop them, I mean I am sure they were just waiting for a law to make it illegal then they'll stop

  4. Wonderful. Glad that won't we an issue anymore by NotARealUser · · Score: 3, Insightful

    If it were only so simple... This does nothing to actually prevent ransomware.

    At least the good people of California can cite a specific law instead of the broader extortion laws when they are victimized. I really think there is no point to this law. It has no means to solve the ransomware issue, it simply makes a specific case out of something that was already illegal.

    1. Re:Wonderful. Glad that won't we an issue anymore by Archangel+Michael · · Score: 2

      It does do something ... It allows stupid legislators to say they did something. Remember the following logic is all that is needed.

      We must do something!
      This is something!
      Therefore we must do it!!!!!!!

      Implied is, "Anyone that opposes this is an evil hater who wants to kill you and eat kittens"

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  5. Thanks California by Anonymous Coward · · Score: 2, Funny

    I can finally uninstall that pesky antivirus.

  6. It was legal before? by HalAtWork · · Score: 3, Interesting

    You mean up until now I could have had my own money making machine? Oh well, missed that boat...

    --
    Twinstiq, game news
  7. Calendar by PPH · · Score: 2

    It was nice to see the calendar turn over to 2017

    You were getting tired of Miss December too?

    --
    Have gnu, will travel.
  8. Re:Good by DickBreath · · Score: 3, Funny

    Windows 10 has been installed on this computer.
    To restore this computer to a usable state
    please send 3 bitcoin to Microsoft.

    --

    I'll see your senator, and I'll raise you two judges.
  9. "outlaws the use of ransomware" by avandesande · · Score: 2

    Bad enough to have all your files encrypted, now you will be in trouble with the government too?

    --
    love is just extroverted narcissism