Ransomware has been a leading cyber threat to public entities for quite some time. Now it looks like the policymakers are also acknowledging the nastiness of cryptovirological attacks. Last week, Maryland’s state legislature approved bicameral legislation that would stiffen the penalties and punishments pertaining to ransomware activities.
Attacks on Healthcare Facilities: The Major Driving Force
For the last two years, ransomware operators have deliberately started targeting healthcare entities. Hospitals and other medical care entities are most vulnerable during downtime inflicted by any digital glitch. This is the major reason why cryptovirological operators are more interested in targeting them. Cybercriminals see better prospects of getting the bargained extortion amount for ransomware removal when the targeted organization can’t afford to experience an extended downtime.
Last year, the ransomware attack on University of Maryland Medical System made it to the news. The cryptovirological attack on the entity resulted in the disruption of many medical services for a couple of days causing inconvenience to hundreds of patients. This was the tipping point that pushed the state lawmakers to devise stricter punishments for ransomware operators. The cryptovirological attack on Salisbury Police Department last month further forced the legislature to quickly wind up the bill drafting.
The Bill Revises Previous Penalties and Sentences
It is important to mention here that Maryland had anti-ransomware laws even before the materialization of this bill. According to the previous penal classification, a ransomware attack causing losses of less than $10,000 was considered a misdemeanor. Meanwhile, ransomware-inflicted damages exceeding $10,000 were considered a felony.
The newly approved bill has significantly increased the amount of penalty while lowering the threshold for a felony. Jail time has also been added to the punishments. Now, a ransomware operator causing $1,000 worth of losses will be subjected to more than $100,000 of penalty. The guilty individual can also be subjected to the prison time of 10 years maximum.
How the Losses Will be Determined?
Cost of ransomware removal and recovery will be the primary factor in deciding the total losses caused by a ransomware attack. The potential losses due to downtime will also be factored in that cost. System upgrades, however, will not be included in estimating the fiscal extent of ransomware damages.
The Significance of the Bill
The bill is a major step to create an environment that can deter ambitious cybercriminals from launching cryptovirological attacks, particularly on public domain organizations. The cost of ransomware attacks on public entities can shoot up to millions. We have a very recent example of Atlanta’s Municipal system where authorities had to spend more than $10 million for ransomware removal, recovery, and digital infrastructure upgrades.
The legislation will be formally ratified into law after the signature of the state governor.