On Monday, Michigan Governor Rick Snyder signed two bills into law that criminalize the possession of ransomware "with the intent to introduce it into a computer or computer network without authorization" and punish offenders with a three-year prison sentence, respectively.

Legislators initially sought a ten years prison sentence, but this was knocked down to three years in subsequent deliberations.

Two new laws correct a legislative loophole

The two new laws —PAs 95 and 96 of 2018— are based on two bills —HB-5257 and HB-5258— introduced last year by Michigan House Representative Brandt Iden, of Oshtemo, and Representative James Lower, of Cedar Lake, respectively.

Rep. Iden said he wanted to correct a legislative loophole that only punished cybercriminals for using the ransomware, but not possessing it.

According to the new bill, if a suspected cybercriminal is arrested and ransomware is found on his computer, the suspect would end up in prison, even if he didn't get to infect any victims. This, in theory, should make it easier for state authorities to go after suspected ransomware developers, affiliates, and others involved in Ransomware-as-a-Service operations.

Just like most crimes, investigators must prove "intent to use" before charging someone with ransomware possession, which is now a felony.

Michigan legislators weren't absurd —unlike their Georgia fellows— and left room for security experts to possess ransomware for research purposes.

1,300+ ransomware incidents reported in Michigan last year

According to FBI statistics, there were over 1,300 ransomware incidents reported in the state of Michigan last year, with damages estimated at around $2.6 million.

"Cybercrime and tough measures to combat it is a rapidly evolving effort, and it’s integral our law enforcement agencies have the tools to identify, prevent and penalize it," Gov. Snyder said on Monday.

Both bills passed with the same vote tallies, 103 to 3 in the House, and 34 to 0 in the Michigan Senate.