New California Law Finally Makes Ransomware Illegal

Reader Trailrunner7 writes: It was nice to see the calendar turn over to 2017, for a lot of reasons, not the least of which is that on Jan. 1 a new law went into effect in California that outlaws the use of ransomware. The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, but ransomware is a case of criminals outflanking the existing laws. Ransomware emerged in a big way a few years ago and the law enforcement community was not prepared for the explosion of infections. While there have been takedowns of ransomware gangs, they often involve charges of money laundering or other crimes, not the installation of the ransomware itself. In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion. The law went into effect on Jan. 1.

I still don't get it.

[gfxguy]

How was it NOT extortion before the law?

Re:I still don't get it.

[Voyager529]

How was it NOT extortion before the law?

Because this is extortion...on the Internet.

Re:I still don't get it.

[Dutch+Gun]

So, I was curious about this, and did a little digging. For reference:

The elements of California extortion are:

        The defendant threatened to do one of the following to the alleged "victim":

                a. Unlawfully injure or use force against him/her, a third party, or his/her property,
                b. Accuse him/her or a relative or family member of a crime, OR
                c. Expose a secret involving him/her or a family member, or connect any of them with some kind of crime, disgrace, or scandal;

        When making the threat or using force, the defendant intended to force the "victim" into consenting to give him/her money or property or to do an official act;
        As a result of the threat, the "victim" did consent to give the defendant money or property or do an official act; AND
        The "victim" then actually did give the defendant money or property or perform the official act.

So the exchange of the ransom is required to meet California's legal definition of "extortion". Naturally, most professionally run IT shops or prudent individuals will have backups and may not pay the ransom, but the damage still may be substantial simply due to lost time and productivity. This new law creates a specific exception for ransomware, making the deployment of it a crime equivalant to extorsion, regardless of whether or not a ransom payment is made. From the text of the bill itself:

This bill would define ransomware as... [describes ransomware]... The bill would provide that a person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable as if that money or other consideration were actually obtained by means of the ransomware...

Given this information, it appears that unpaid ransomware attacks were NOT considered "extortion" under California law. This new law provides both a legal definition for ransomware (must have gotten some help from a competent IT person here), and closes that loophole... which, btw, seems like sort of a terrible loophole for extortion as well, but whatever.

We see further evidence of this in the first sections of the bill, which pretty much seems designed to shut down this loophole:

523. (a) Every person who, with intent to extort any money or other property from another, sends or delivers to any person any letter or other writing, whether subscribed or not, expressing or implying, or adapted to imply, any threat such as is specified in Section 519 is punishable in the same manner as if such money or property were actually obtained by means of such threat.
(b) (1) Every person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable pursuant to Section 520 in the same manner as if such money or other consideration were actually obtained by means of the ransomware.
(2) Prosecution pursuant to this subdivision does not prohibit or limit prosecution under any other law.

TLDR version: This law was needed due to the peculiarities of California's extortion laws.

Outflanked the law?

[wbr1]

I do not know california code, but I imagine installing and running software without permission is already illegal, as is unauthorized use of a system and destruction of data. Not to mention fraud.

So.. do we really need another law? For something that is largely coming from out of the country and is unlikely to result in a prosecution except MAYBE at the federal level?

Re:Outflanked the law?

[CaptainDork]

... installing and running software without permission is already illegal ...

Permission was granted when the user voluntarily opened a malicious attachment or navigated to a nefarious web site.

I'm retired from IT and I was often pulled into management's office to answer the question, "Why did our system not stop this?"

I answered that the "system" was granted permission by the operator, who, BTW, has attended six (6) seminars this year alone that explains users aren't allowed to use computers for personal use, so why are they panic-clicking on an attachment that their "UPS package will not be delivered until you click on this link ..." AND the fucking Firm has a contract with FEDEX for that shit anyway.