A California bill that proposes classifying ransomware schemes as a crime classified as extortion has been approved by the state Assembly. If Governor Jerry Brown signs off on the bill it will drastically alter the way California prosecutes once of the most common forms of cyber crime.
The bill was proposed by State Senator Robert Hertzberg. If passed, it would add to a long list of existing state cyber crime laws but be the first to address ransomware specifically. Prosecutors would be able to send anyone convicted to two to four years in prison.
In a published statement, Hertzberg compared ransomware to a stickup. He went on to specifically reference a ransomware attack in February targeted at Hollywood Presbyterian Medical Center that netted $17,000.
The bill has been widely supported by California law enforcement agencies including the California Police Chiefs Association and the California Statewide Law Enforcement Association. It was also supported by Los Angeles County District Attorney Jackie Lacey who helped to introduce S.B. 1137.
A report from Lacey’s office noted that prospectors currently have no way to apply existing laws to ransomware attacks. Current extortion laws describe the crime as obtaining property with someone’s consent by using the threat of force or exposure.
In a ransomware attack, the threat has already been perpetrated by denying the user access to files and applications. The user then has to pay to undo the damage. This is a small distinction, but one that has proved to be an obstacle for prosecutors motivated to strike back against a growing wave of ransomware attacks.
California’s large and influential tech community also came out in favor of the bill. A trade lobbying group called TechNet that represents major players like Apple, Google, Microsoft, and Facebook helped to introduce the bill.
In a statement released by the group, Executive Director Andrea Deveau commented ““Hospitals, data centers, retailers, financial institutions and many others are becoming growing targets for the perpetrators. S.B. 1137 provides a clear signal to these criminals that ransomware is a criminal act and will be prosecuted as such.”
The lone group to come out in opposition to the bill was the nonprofit Legal Service for Prisoners with Children. They content that existing laws are already adequate to prosecute ransomware and that a larger definition of extortion would only further penalize some already in the penal system.
Security vendor Symantec reported responding to an average of 4,000 ransomware attacks a day beginning at the start of Q1 2016. That is four times the rate reported at the same time last year.