Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Legislation Would Stiffen Penalties for Ransomware Attacks

Using ransomware to hold computers hostage would draw stiffer penalties under legislation — prompted in part by attacks on Maryland hospitals over the past few years — state lawmakers are considering.

Using ransomware to hold computers hostage would draw stiffer penalties under legislation — prompted in part by attacks on Maryland hospitals over the past few years — state lawmakers are considering.

The legislation, which would enforce tougher penalties for those convicted of ransomware crimes, was spurred by attacks like those on the University of Maryland Medical System in 2018 and on the Salisbury Police Department in January.

Hospitals and health care centers remain one of the most vulnerable industries to ransomware attacks, which could lead to disruptions of critical information systems, loss of data and even patient fatalities.

Maryland Senate bill 151, cross-filed with House bill 211, would define ransomware attacks that result in a loss greater than $1,000 as a felony, subject to a fine of up to $100,000 and a maximum sentence of 10 years in prison.

Under current Maryland laws, a ransomware attack that extorts a loss less than $10,000 is considered a misdemeanor, while a breach that results in a loss greater than $10,000 is a felony.

Ransomware is a specific malware software that allows hackers to seize control of and access to computers and the data stored within those devices.

The attackers then refuse to release control of the devices and information until a ransom is paid.

Unpaid demands can create further problems for the victims: The ransom can increase or the hackers can permanently delete the data, according to a state analysis.

“Even when (victims) do pay the ransom there is not necessarily a guarantee that they will receive the data back,” Markus Rauschecker, the cybersecurity program manager for the University of Maryland Center for Health and Homeland Security, said during a bill hearing Jan. 31.

The bill will also introduce a new criminal offense, which prohibits violators from simply possessing ransomware with the intent to use it, with an exception for researchers, according to a state analysis.

The new legislation would authorize courts to award damages and cover attorney fees and costs for the victims of an attack, according to a state analysis.

“No industry is safe from ransomware, most importantly our hospitals,” bill sponsor Sen. Susan Lee, D-Montgomery, said.

Ransomware attacks on hospitals are a continuing problem across the country and often create major problems for the facilities, including loss of lives, misdiagnoses and other technological disadvantages for doctors and patients, Lee told Capital News Service.

In 2018, the University of Maryland Medical System’s information technology infrastructure was victim to an attempted malware infiltration.

The medical system was able to subdue the attack by implementing backup servers to ensure patient care was uninterrupted, according to a press statement.

“The most frightening part about (ransomware attacks) is that hospitals and health care sectors are especially vulnerable,” Rauschecker said. “This can ultimately mean deaths in hospitals.”

Attacks can have serious consequences due to a lack of access to electronic data or medical devices available to doctors and staff during a breach, Rauschecker said.

A 2017 Vanderbilt University research paper estimated that more than 2,000 deaths per year could be attributed to ransomware attacks on hospitals.

In 2016, Maryland’s MedStar Health system was subject to a ransomware attack that also targeted government agencies, cities and businesses around the nation. The hackers were able to get around $6 million and caused their victims to lose more than $30 million, according to a state analysis.

Rauschecker said that ransomware attacks are one of the “fast growing” areas within cyber crime.

SonicWall, a cyber-crime security company, reported about 181.5 million ransomware

attacks in the first six months of 2018 — more than doubled over the same time period in 2017, but a marked decrease from the rate of attacks in 2016.

“This bill passing will be the start of raising the concern of (ransomware attacks) and how big this problem is,” Maryland State’s Attorneys’ coordinator Steve Kroll said during the bill hearing.

In January, the Salisbury Police Department suffered a ransomware attack that affected their computer systems, including email and network servers, as well as its record management systems, Capt. Rich Kaiser said.

Kaiser emphasized that while the department had no access to data during the attack, there is no evidence of police department data being stolen due to an “intricate file backup system.”

Kevin Kornegay, a professor in the school of electrical and computer engineering at Morgan State University, theorizes that while cyber breaches are targeting big corporations, ransomware attacks remain a “massive threat to small (and) mid-sized businesses,” which in many instances often go unreported.

This is because ransomware attacks have commonly been found in “phishing emails” and websites with clickbait — often the attacks are minor — and small businesses tend not to report them, according to Kornegay.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack