Maryland Bill Would Make Owning Ransomware a Criminal Offense

Lawmakers in the US State of Maryland are debating a new bill that would make it illegal to own and distribute ransomware, and stiffens punishment for ransomware operators.

If the bill passes, Maryland would be the third state, after Michigan and Wyoming, to criminalize the possession and distribution of ransomware.  The bill makes exceptions for penetration testing, security researchers, and other legitimate reasons to own ransomware.

While it might seem like a law with no teeth or purpose, it”s actually designed to give prosecutors the right tools. Democrat State Senator Susan Lee, the sponsor of the bill, enrolled the help of Markus Rauschecker, the Cybersecurity Program director of the University of Maryland Center for Health & Homeland Security.

“It”s important to send that signal. This bill highlights the threat and how big it is,” said Rauschecker to lawmakers, according to Capital News Service. If the bill becomes law, using ransomware would be classified as a misdemeanor and carry a penalty of up to ten years in jail and/or a fine up to $10,000.

The bill wasn”t proposed out of the blue. Hackers hit Baltimore, Maryland”s largest city, with a RobbinHood ransomware attack on May 7, 2019. All administrative transactions, payments and communications were frozen after city officials refused to pay the attackers. It took them more than eight weeks to restore all systems.

Following the attack, Baltimore City”s board allocated $10 million to an emergency ransomware response to prevent similar attacks. When the dust settled, the city estimated recovery costs at $18 million.

The current law in Maryland specifies that a cyberattack that incurs damages of less than $10,000 is a misdemeanor and carries a punishment of up to five years in prison and a fine up to $10,000. If the damages pass the $10,000 mark, it turns into a felony, and the punishment goes up to 10 years in prison.

The bill would dispense with limits for damages and raises the punishment to up to 10 years, even if it”s a misdemeanor. A new hearing for the ransomware bill is scheduled for January 28 in a House committee.