- A recent ransomware bill introduced into the Maryland General Assembly calls for steeper penalties for individuals who utilize the malicious software for such attacks.
Maryland Senator Sen. Susan Lee sponsored the bill, HB 340, which “creates a criminal offense pertaining to extortion conducted through unauthorized software.”
Violators could face up to 10 years in prison and/or a $10,000 maximum fine.
“Victims of ransomware attacks include ordinary citizens, small businesses, public libraries, hospitals, local governments, and larger businesses/entities,” the bill states. “Because the perpetrators are often based overseas, there is very little local and federal law enforcement can do, especially within the narrow window of time in which victims must pay a ransom.”
Current Maryland law has ransomware attacks covered under the state’s extortion statutes. Under those statutes, if the value of property, labor, or services that are extorted are less than $1,000, then it is classified as a misdemeanor.
While the classification of and penalties for statute violations vary based on the value of what is extorted, they could reach up to 25 years in prison with a $25,000 fine.
“A person who has the intent to unlawfully extort money, property, or anything of value from another may not knowingly create, place, or introduce without authorization software into a computer, computer system, or computer network (computer/system/network) if the software is designed to encrypt, lock, or otherwise restrict access or use by authorized users of the computer/system/network,” according to the bill.
Delegate Erek Barron is co-filing the bill, and told Maryland’s Capital News Service that he and Lee considered adding another provision that would allow for penalties against individuals who create ransomware. However, that provision did not make it into the bill’s final draft.
Lee also told the news source that how the bill would be implemented as law would be heavily influenced by judges and prosecutors.
The bill’s fiscal summary explains that there would be a minimal increase in state expenditures from the legislation’s incarceration penalty and that revenues are not affected.
There would also have “potential meaningful impact on small businesses if the bill deters computer attacks against small businesses or if businesses subject to the prohibited activities can recover damages.”
A hospital system with locations in Maryland and Washington, DC, was the victim of a ransomware attack in 2016.
MedStar Health Network was forced to take email and EHR systems offline to prevent a virus from spreading throughout its network.
Healthcare providers in the network reportedly had to switch to a paper backup system while MedStar Health officials took down all system interfaces on the computer network. Healthcare staff could also reportedly not book appointments, access emails, or turn on their computers.
MedStar also requested that all emergency medical services temporarily be diverted from their facilities.
One month after the initial attack, it was reported that the ransomware attack stemmed from a known security flaw on the health network’s computer system. MedStar had been using JBoss, an application server with a recognized design flaw. The hackers then used Samas, or “samsam,” a virus-like software, to scan the Internet for vulnerable JBoss servers.
Security researchers had found that the JBoss application server was “routinely misconfigured to allow unauthorized outside users to gain control,” according to The Associated Press.
Several groups, including the US government, released warnings about the security flaw in February 2007 and March 2010. The warnings maintained that the security problem could allow unauthorized users to access confidential information and potentially disrupt business operations.
Assistant Vice President at MedStar Health Ann C. Nickles said in a statement to The Associated Press at the time that MedStar "maintains constant surveillance of its IT networks in concert with our outside IT partners and cybersecurity experts.”
“We continuously apply patches and other defenses to protect the security and confidentiality of patient and associate information,” she said.