Lawmakers in the US State of Maryland are debating a new
bill that would make it illegal to own and distribute ransomware, and stiffens
punishment for ransomware operators.
If the bill passes, Maryland would be the third state, after
Michigan and Wyoming, to criminalize the possession and distribution of
ransomware. The bill makes exceptions for
penetration testing, security researchers, and other legitimate reasons to own
ransomware.
While it might seem like a law with no teeth or purpose,
it’s actually designed to give prosecutors the right tools. Democrat State Senator
Susan Lee, the sponsor of the bill, enrolled the help of Markus Rauschecker,
the Cybersecurity Program director of the University of Maryland Center for
Health & Homeland Security.
“It’s important to send that signal. This bill highlights the threat and how big it is,” said Rauschecker to lawmakers, according to Capital News Service. If the bill becomes law, using ransomware would be classified as a misdemeanor and carry a penalty of up to ten years in jail and/or a fine up to $10,000.
The bill wasn’t proposed out of the blue. Hackers hit Baltimore, Maryland’s largest city, with a RobbinHood ransomware attack on May 7, 2019. All administrative transactions, payments and communications were frozen after city officials refused to pay the attackers. It took them more than eight weeks to restore all systems.
Following the attack, Baltimore City’s board allocated $10 million to an emergency ransomware response to prevent similar attacks. When the dust settled, the city estimated recovery costs at $18 million.
The current law in Maryland specifies that a cyberattack
that incurs damages of less than $10,000 is a misdemeanor and carries a punishment
of up to five years in prison and a fine up to $10,000. If the damages pass the
$10,000 mark, it turns into a felony, and the punishment goes up to 10 years in
prison.
The bill would dispense with limits for damages and raises
the punishment to up to 10 years, even if it’s a misdemeanor. A new hearing for
the ransomware bill is scheduled for January 28 in a House committee.