Connect with us

Hi, what are you looking for?



Legislation Would Stiffen Penalties for Ransomware Attacks

Using ransomware to hold computers hostage would draw stiffer penalties under legislation — prompted in part by attacks on Maryland hospitals over the past few years — state lawmakers are considering.

Using ransomware to hold computers hostage would draw stiffer penalties under legislation — prompted in part by attacks on Maryland hospitals over the past few years — state lawmakers are considering.

The legislation, which would enforce tougher penalties for those convicted of ransomware crimes, was spurred by attacks like those on the University of Maryland Medical System in 2018 and on the Salisbury Police Department in January.

Hospitals and health care centers remain one of the most vulnerable industries to ransomware attacks, which could lead to disruptions of critical information systems, loss of data and even patient fatalities.

Maryland Senate bill 151, cross-filed with House bill 211, would define ransomware attacks that result in a loss greater than $1,000 as a felony, subject to a fine of up to $100,000 and a maximum sentence of 10 years in prison.

Under current Maryland laws, a ransomware attack that extorts a loss less than $10,000 is considered a misdemeanor, while a breach that results in a loss greater than $10,000 is a felony.

Ransomware is a specific malware software that allows hackers to seize control of and access to computers and the data stored within those devices.

The attackers then refuse to release control of the devices and information until a ransom is paid.

Advertisement. Scroll to continue reading.

Unpaid demands can create further problems for the victims: The ransom can increase or the hackers can permanently delete the data, according to a state analysis.

“Even when (victims) do pay the ransom there is not necessarily a guarantee that they will receive the data back,” Markus Rauschecker, the cybersecurity program manager for the University of Maryland Center for Health and Homeland Security, said during a bill hearing Jan. 31.

The bill will also introduce a new criminal offense, which prohibits violators from simply possessing ransomware with the intent to use it, with an exception for researchers, according to a state analysis.

The new legislation would authorize courts to award damages and cover attorney fees and costs for the victims of an attack, according to a state analysis.

“No industry is safe from ransomware, most importantly our hospitals,” bill sponsor Sen. Susan Lee, D-Montgomery, said.

Ransomware attacks on hospitals are a continuing problem across the country and often create major problems for the facilities, including loss of lives, misdiagnoses and other technological disadvantages for doctors and patients, Lee told Capital News Service.

In 2018, the University of Maryland Medical System’s information technology infrastructure was victim to an attempted malware infiltration.

The medical system was able to subdue the attack by implementing backup servers to ensure patient care was uninterrupted, according to a press statement.

“The most frightening part about (ransomware attacks) is that hospitals and health care sectors are especially vulnerable,” Rauschecker said. “This can ultimately mean deaths in hospitals.”

Attacks can have serious consequences due to a lack of access to electronic data or medical devices available to doctors and staff during a breach, Rauschecker said.

A 2017 Vanderbilt University research paper estimated that more than 2,000 deaths per year could be attributed to ransomware attacks on hospitals.

In 2016, Maryland’s MedStar Health system was subject to a ransomware attack that also targeted government agencies, cities and businesses around the nation. The hackers were able to get around $6 million and caused their victims to lose more than $30 million, according to a state analysis.

Rauschecker said that ransomware attacks are one of the “fast growing” areas within cyber crime.

SonicWall, a cyber-crime security company, reported about 181.5 million ransomware

attacks in the first six months of 2018 — more than doubled over the same time period in 2017, but a marked decrease from the rate of attacks in 2016.

“This bill passing will be the start of raising the concern of (ransomware attacks) and how big this problem is,” Maryland State’s Attorneys’ coordinator Steve Kroll said during the bill hearing.

In January, the Salisbury Police Department suffered a ransomware attack that affected their computer systems, including email and network servers, as well as its record management systems, Capt. Rich Kaiser said.

Kaiser emphasized that while the department had no access to data during the attack, there is no evidence of police department data being stolen due to an “intricate file backup system.”

Kevin Kornegay, a professor in the school of electrical and computer engineering at Morgan State University, theorizes that while cyber breaches are targeting big corporations, ransomware attacks remain a “massive threat to small (and) mid-sized businesses,” which in many instances often go unreported.

This is because ransomware attacks have commonly been found in “phishing emails” and websites with clickbait — often the attacks are minor — and small businesses tend not to report them, according to Kornegay.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...