Ransomware: The Limitations of the Legal System
By: Ryan Johnston, November 10, 2016
Ransomware is on the rise; while is not a new form of cyber attack, the tools to launch ransomware attacks have become easier to obtain and use. Cyber criminals are targeting critical infrastructures, schools, hospitals, and other things essential to the survival of our nation. What is ransomware? How does it infect a network? And what can be done if you are attacked? These are the most important questions that can be asked to improve the “cyber hygiene” in both personal and professional settings.
Ransomware often comes disguised as a legitimate invoice, email, or fax. However, as soon as the attachment or link is opened they are directed to a website that infects their computer. Ransomware works by encrypting everything on and attached to the network it infected, or by simply keeping the user from being able to access the data, but leaving that data relatively untouched. Upon completing this process, messages will begin to appear detailing how to pay the ransom. Ransomware can be separated into two categories, locker ransomware and crypto ransomware. The main difference between the two is that locker ransomware prevents access to the system interface, whereas, crypto ransomware actively encrypts the files within a system so that a user can access them but will be unable to access the content.
However, if you or your business is attacked what methods of recourse are there for you? Shockingly, the answer is not many. The FBI asks that targets notify them, but there is often little they can or are willing to do. Notably the chief of the FBI’s cybercrime division Joseph Bonavolonta was quoted with telling cyber security experts “To be honest, we often advise people just to pay the ransom.” In a statement given to the Committee on the Judiciary, Deputy Assistant Attorney General Richard Dowing spoke at length about how the government is working closely with tech firms, as well as, local and state governments to stem the tide and inform people about what Ransomware is and does, but he also spoke to how the judicial system is handling these cases as well. Mr. Dowing stated that in order for law enforcement to be able to take on a botnet or system that may be distributing ransomware, first there must be more than 100 victim computers connected. Secondly, an injunction must be granted for seizure of this property. To obtain this injunction the government must file a civil suit against a defendant, and demonstrate to the judge the case is likely to succeed on the merits. All the while, the defendant may move to quash or modify any injunction the court issues.
If a case makes it to trial the laws generally applies are 18 U.S. Code §2701 (Fraud and Related activity in Connection with Computers), which makes the intentional access without authorization to a network illegal, and may carry a fine and imprisonment based on the severity of the breach. Similarly, 18 U.S. Code §1030 (Unlawful Access to Stored Communications) sets forth a criminal offense on extracting data from a network either public or private that is accessed without authorization. Punishments can vary depending on a host of factors, but the difficulty the system has in prosecuting cyber criminals is not of insufficient law with which to prosecute, but often of the inability to find the defendant. The crux of the argument is when the defendant is found; oftentimes they reside in a place with which the United States does not have the jurisdiction to make an arrest, and will likely never will.
While it is good that there is a system that the government must go through before it can begin seizing property, it notifies the operators of a botnet that they are being targeted. This gives those operators’ time to flee or shutdown the targeted sections of their botnet. Mr. Dowing stated “We believe that it should be illegal to sell or rent surreptitious control over infected computers to another person, just like it is already clearly illegal to sell or transfer computer passwords.” The largest botnet dismantled by the United States government was that of GameOver ZeuS. GameOver ZeuS was a botnet that systematically distributed a ransomware package known as cryptolocker to the over 300,000 computers it controlled. In order to combat GameOver ZeuS multiple nations came together to stop it at its source. This operation, which took months, if not years, to complete, was successful in breaking down the network the botnet operated on. However, due to there being no set of international laws that govern what to do regarding Ransomware arracks, no authority of the FBI or other investigative task force to operate in Russia, the creator of GameOver ZeuS, Evgeniy Mikhilovich Bogachev, still lives as a free man in Russia, and the owners of the computers he infected have had no legal recourse for the damages they sustained.
There are currently no legal recourses against those who have their computers infected and control of their system sold. Ransomware attacks have increased 300% in attacks seen per day from 2015 to 2016. They have and will continue to target critical infrastructure and the companies that we utilize everyday. There are many initiatives going on around the world trying to combat these attacks. The United States has partnered with the European Union to create the Privacy Shield Framework. This framework asks companies to work not only with the governments within the EU and USA, but it also encourages them to work together to disclose and threats, attacks, and solutions. This framework also helps to secure individuals by allowing them to opt out of having their personal data given to third parties by any company that complies with the framework. Unfortunately the framework is optional, there is no requirement to join, and the fee that comes with it may be seen as a disincentive to smaller corporations. The framework is a step in the right direction for helping to secure corporations, and individuals, but that does not help to prevent cybercrime in a meaningful way.
The policy that is being developed now and has been in the past has been mainly about treating the wounds of cybercrime. Ransomware is one of the oldest forms of attack and its growth in popularity means that information security research will continue to devote time and resources to defeat each new iteration. While current law and policy is effective if the enemy is known and within reach, it does little to help those that may be affected when the attacker is not right in front of us. The future of information security policy needs to continue to support research, prevention, and education, but also bolster the agencies and task forces that are responsible for working globally to help stop cybercrime. As technology and attack vectors evolve so must the tools that we have to defeat them.