- Hackers who launch ransomware attacks would face felony charges and stiffer penalties under recent legislation proposed by Maryland state Senators and cross-filed with House members.
The bill directly names hackers who attempt to interrupt or impair the function of a healthcare organization as the leading ransomware definition. Given healthcare is one of the largest ransomware targets given its need to have constant data access, the law is meant to crack down on those cybercriminals.
Notably, Maryland’s MedStar Health System was one of the early victims of a crippling ransomware attack in 2016. The cybercriminals hacked into a JBoss server flaw to encrypt patient files and demanded $16,000 to unlock the files. MedStar did not pay the ransom.
Currently, Maryland law defines ransomware attacks that attempt to extort $10,000 and under a misdemeanor, while a ransomware breach that exceeds $10,000 would be a felony.
The proposed legislation would redefine ransomware as an attack that results in losses greater than $1,000 as a felony. Hackers would also be subjected to a fine of up to $100,000 and 10-year maximum prison sentence.
Further, the legislation introduced a new criminal offense that prohibits cybercriminals from possessing ransomware with the intent to use the virus. Researchers would be exempt from the rule. It would also allow courts to cover victims’ attorney fees and court costs, as well as award damages.
“The bill also authorizes a person who has suffered a specific and direct injury because of a violation … to bring a civil action in a court of competent jurisdiction, [and] establishes that a conviction for the applicable offense is not a prerequisite for maintenance of the civil action,” the bill authors wrote.
According to officials, the legislation is designed to provide meaningful impact on small businesses awarded damages under civil action.
“Unpaid ransoms can result in escalating demands or permanent loss of data,” the bill authors wrote. “Because the perpetrators are often based overseas, there is very little local and federal law enforcement can do, especially within the narrow window of time in which victims must pay a ransom.”
While ransomware attacks have slowed in other industries, healthcare remains a prime target for hackers. There’s been a steady flow of reported ransomware attacks and breaches since hackers began ramping up attacks in 2016.