Fraud Management & Cybercrime , Legislation & Litigation , Ransomware

Maryland Considers Criminalizing Ransomware Possession

Some Question Whether Such a Law Would Prove Effective

Maryland state capital in Annapolis (Source: Martin Falbisoner via Wikicommons/CC)

Maryland lawmakers are considering a bill that would make possession of ransomware a crime punishable by up to 10 years in prison sentence and a $10,000 fine. Baltimore, the state's largest city, has been hit twice with ransomware attacks in the past two years.

See Also: Industry Cyber-Exposure Report: Deutsche Börse Prime Standard 320

Maryland would reportedly be the third state to criminalize possession of ransomware. Previously, California and Wyoming passed similar legislation.

But some analysts argue that such legislation does little to stem the tide of cypto-locking malware incidents.

"In order for criminalization to be an effective deterrent, law-breakers would need to know that there is a realistic likelihood of being caught and prosecuted," Fabian Wosar, CTO of security firm Emsisoft, tells Information Security Media Group. "The bottom line is, legislation such as this would have a near-zero impact and do nothing to reduce the frequency of ransomware attacks. A far more sensible strategy would be for states to focus on measures which would enhance security and resilience in the public sector - something which academic research and audits clearly demonstrate is very much needed."

What the Maryland Bill Would Do

Maryland's Senate Bill 30 would penalize individuals who possess ransomware with the "aim to introduce the malware in any computer, computer network, or the computer system of another person without the authorization of the other person." The proposed law makes exceptions for using ransomware for security research purposes.

"It's important to establish so criminals know it's a crime," State Senator Susan Lee, a Democrat who introduced the bill Jan. 13, told Capital News Service. "The bill gives prosecutors tools to charge offenders."

In 2017, Lee and other state senators introduced a similar proposed law, although the legislation went nowhere. In the previous bill, the lawmakers attempted to penalize ransomware attackers under the state's existing extortion law (see: Maryland Considers Singling Out Ransomware as a Crime)

The Maryland House of Delegates plans to debate its own ransomware criminalization bill on Jan. 28, according to the Capital News Service report.

Security Experts Skeptical

Lee claims the latest bill would help reduce the money local governments spend on defending against and then cleaning up after a ransomware attack. Security experts, however, are skeptical the law would act a deterrent to cybercriminals who see ransomware attacks as lucrative.

In 2019, ransomware attacks affected over 100 state and municipal governments and agencies as well as more than 760 healthcare providers and over 90 universities, colleges and school districts, according to a study published by Emsisoft (see: Just How Widespread Is Ransomware Epidemic?)

Another 2019 report by security researchers from the University of Maryland, who conducted a nationwide survey of cybersecurity at government agencies in the U.S., noted that cyber hygiene practices at the local and municipal level are poor.

"While nearly half reported experiencing cyberattacks at least daily, one-third said that they did not know whether they were under attack, and nearly two-thirds said that they did not know whether their information systems had been breached," the report finds. "Serious barriers to their practice of cybersecurity include a lack of cybersecurity preparedness within these governments and a lack of adequate funding for it."

Attacks Against Baltimore

The Maryland bill comes at a time when Baltimore continues to recover from two ransomware attacks that disrupted municipal services for weeks.

In March 2018, Baltimore was hit by a ransomware attack that hit the city's IT infrastructure. The attack affected the computer-assisted dispatch system, which was used to support the city's 911 and other emergency call services, Reuters reported.

Within a year of that incident, the city sustained another attack involving a ransomware variant called RobbinHood, which affected about 10,000 computers within the city's network. The attack resulted in the local authorities paying $10 million in recovery and forensic expenses and led to a loss of $8 million in revenue (see: Baltimore Ransomware Attack Costing City $18 Million)