It was nice to see the calendar turn over to 2017, for a lot of reasons, not the least of which is that on Jan. 1 a new law went into effect in California that outlaws the use of ransomware.

The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, but ransomware is a case of criminals outflanking the existing laws. Ransomware emerged in a big way a few years ago and the law enforcement community was not prepared for the explosion of infections. While there have been takedowns of ransomware gangs, they often involve charges of money laundering or other crimes, not the installation of the ransomware itself.

In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion. The law went into effect on Jan. 1.

“This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware,” said California Sen. Bob Hertzberg, who sponsored the bill. “Unfortunately, we’ve seen a dramatic increase in the use of ransomware. This bill treats this crime, which is essentially an electronic stickup, with the seriousness it deserves.”

The new law in California makes the use of ransomware a felony.

Ransomware has grown from relatively humble beginnings into one of the bigger threats to users at the moment. There have been a number of high-profile attacks in the last year, including one at Hollywood Presbyterian Medical Center that cost the hospital $17,000 and took its network offline for days. Ransomware began mainly as a consumer problem, targeting individual victims for $100 or $200 a pop. But more recently, attackers have been going after enterprises, which offer a much bigger potential payday. And many enterprises are paying up.

Last month, researchers at IBM Security’s X-Force team released data showing that 70 percent of businesses infected by ransomware have paid to get their information back. And the ransoms they’re paying are far higher that what consumers typically pony up. Twenty percent of companies have paid more than $40,000 in ransom, IBM’s data shows.

The new law in California makes the use of ransomware a felony that is punishable by up to four years in prison.

“Extortion by ransomware is immensely costly and terrifying to victims whose data is held hostage,”Los Angeles County District Attorney Jackie Lacey said. “And when criminal hackers target hospitals, fire and rescue it threatens the public’s safety. SB 1137 has clarified California law to make sure that a criminal who infects computers or networks with ransomware can be prosecuted for extortion.”

Image: Jeff Turner, CC By license.