January 1 marked an important day in cybercrime penalties in California, as Senate Bill 1137 signed in September 2016 by Gov. Jerry Brown was finally enforced.

Under the bill, any criminal who infects a computer, system or network with ransomware could face up to four years in state prison. Because ransomware is a form of extortion, it will be punished as such. Wyoming passed a similar bill in 2014.

“This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware,” said Sen. Bob Hertzberg (D-Van Nuys). “Unfortunately, we’ve seen a dramatic increase in the use of ransomware. This bill treats this crime, which is essentially an electronic stickup, with the seriousness it deserves.”

Ransomware is a major threat to all users, as hackers now target not only private users, but businesses, hospitals and educational institutions as well. Ransomware payments in the US alone skyrocketed to over $209 million in the first quarter of 2016, from $25 million in 2015, according to FBI reports.

“Extortion by ransomware is immensely costly and terrifying to victims whose data is held hostage,” Los Angeles County District Attorney Jackie Lacey said. “And when criminal hackers target hospitals, fire and rescue it threatens the public’s safety. SB 1137 has clarified California law to make sure that a criminal who infects computers or networks with ransomware can be prosecuted for extortion.”

Although ransomware victims are strongly encouraged to refrain from paying ransom and immediately reach out to law enforcement, most hesitate to publicly admit such a breach for fear their reputation will suffer. However, in most cases paying ransom does not guarantee a decryption key.