Cybercrime

This article has been written by Aratrika Manhas pursuing the Diploma in Intellectual Property, Media, and Entertainment Laws from LawSikho.

This article has been edited and published by Shashwat Kaushik.

Introduction

Cyberextortion has provided the digital age with a veritable inducement that criminals are cashing in on this era. Ransomware attacks and business email compromises are new and evident threats in the escalating cyber threat environment in the modern digital ecosystem that targets users, businesses, and even governments. Cybercriminals employ such acts to force their targets into giving up some form of value, such as money or other resources, through vulnerabilities in Indian ICT systems. While ransomware is the process of locking down a victim’s data and demanding its decode for money, cyber extortion involves various approaches, such as threats to disclose information that has been stolen or cause disruptions. Analysing these cyber threats from an Indian perspective as well as an international perspective, this paper provides a comprehensive look into the legal and practical aspects of the issue.

Literature review

Cyber sophistication uses digital threats to be paid a stated ransom. This shows that legal procedures such as the Budapest Convention that spans the IT Act of 2000 worldwide in India and the CFAA are local legislation. Measures involving personnel comprise staff education, the use of organisational procedures in treating an incident, technological measures such as encryption and intrusion detection, and legislation that requires cooperation between private and government entities. Thus, our understanding of emerging threats, the process of looking at and comparing prison systems, and evaluating the impact of prophylactic treatments is still far from complete. 

Download Now

Cyber extortion in India

Cyber crimes are punishable under the Information Technology Act of the year 2000, along with the Bharatiya Nyaya Sanhita, 2024. The Information Technology Act of 2000 also addresses the aspects of computer crime as well as electronic commerce. However, in 2024, some amendments regarding the Act related to the definition and the provisions of cybercrime. Hence, laws under the Bharatiya Nyaya Sanhita, 2024, and the Reserve Bank of India Act were changed to enhance legally actionable cyber crimes.

Indian jurisdiction forbids cyber-blackmail also. Digital crime is when an individual taps into the system and captures or threatens to release confidential files or information for it to be returned safely. Cyber extortion is committed by hackers who will first target, for example, a system and then exploit the weak points/holes in an organisation’s security. As such, in the regular course of business activities and operations within a company. The CEO sends his trade secret on new-line men’s deodorants to his employees and sends this sensitive information via email. In this case, the hacker would hack into an official company email used by the CEO, and capture that information so he/she can ask for a ransom.

It is difficult to accept and apply new technological changes. The Indian Constitution does not explicitly locate the right to privacy, but rather it has been held in several cases that the said right is inherent in the constitution, particularly Article 21, which guarantees the right to life and personal liberty. It may be said without any doubt that this historic verdict of SC on the landmark case “K. S. Puttaswamy (Retd.) vs. Union of India” settled all disputes about privacy as an inherent right under Article 21 of the Indian Constitution. A case was filed against India and its Aadhaar scheme, alleging that it violated people’s rights to privacy specifically. In defence of the right to privacy as a fundamental right, the Supreme Court’s ruling holds a special place for data theft and the security of individuals’ data. This judgement has generated some fresh thinking around the Aadhaar Card and therefore towards six key rights endangered by its implementation.

Legal ramifications

According to the Bureau of Police Research and Development, Ministry of Home Affairs National Crime Records Year Book 2021, Volume II, every second cyber extortion case is registered in the national capital, Delhi, where all complaints say the accused knows the secrets. So there should be a written law for this legal judgement.

But alas the years-old Information Technology Act of 2000 does not have a definition of “cyber extortion,” and there is no provision to punish it as an offence since (fortunately or unfortunately) cyber-extortion itself was/is NOT a crime. The accused, however, can be booked under offences of Bharatiya Nyaya Sanhita 2024 (BNS), 2024, and the IT Act by using Section 303 (extortion) of BNS 2024, Section 351 (criminal intimidation) of BNS 2024, as well as section separately in the final agreement E(66E).

Section 66E deals with a violation of privacy where the capture, publication, and distribution of part or full area images of some private areas is leaked in that alleged picture. The accused could be imprisoned for up to 3 years and will have to pay a fine that may vary between Rs.

Extortion- Section 303 of BNS 2024, extortion means the offence of taking or attempting to take anything by force, serious coercion in such a way which instilled that person into fear adored or any other body property from one individual, compelling the said individual through certain Coercion with intent… Whoever commits the offence of extortion (section 383 to section 393) shall be punished with imprisonment up to two years or a fine or both.

In addition, Section 351 of BNS 2024 relates to the civil wrong of criminal intimidation, wherein a person puts another under threat of harm to the latter’s reputation, body, or property or to the reputation, body, or property of any person in whom the latter is interested. Thus, the purpose of threatening is to make the victim afraid and to compel him to act in a certain way or do something unlawful or restrain himself from doing something legal or something to which he has a right. This offence is criminal intimidation for which a person can be imprisoned for a term of up to two years with a fine or both.

However, even though presently there are the above-said sections under different statutes, it is imperative to have a section and a specific comprehensive provision for the offence of cyber extortion because, in the present age of the internet, Indian citizens, especially big business houses and women in society, are becoming the victims of this heinous crime.

Practical implications and prevention strategies

  • Regular backups:
    • Implement a comprehensive backup strategy that includes regular, automated backups of critical data.
    • Utilise offline backup services, such as external hard drives or cloud-based backup solutions to ensure data can be restored without having to pay a ransom.
    • Establish a backup schedule that creates multiple copies of the organisation’s data at different intervals, reducing the risk of data loss in case of a ransomware attack.
  • Patch management:
    • Implement a robust patch management process to identify and apply software updates promptly.
    • Regularly scan systems for missing patches and vulnerabilities that could be exploited by ransomware.
    • Prioritise patches for critical systems and applications known to be targeted by ransomware.
    • Monitor security advisories and notifications from software vendors to stay informed about new vulnerabilities and available patches.
  • Endpoint protection:
    • Deploy state-of-the-art endpoint protection solutions that provide real-time protection against ransomware.
    • Configure endpoint protection solutions to detect and block malicious activities associated with ransomware, such as suspicious file encryption, unauthorised network connections, and suspicious processes.
    • Implement a layered approach to endpoint protection, combining multiple security technologies such as antivirus, anti-malware, and intrusion detection systems.
    • Regularly update endpoint protection solutions with the latest threat definitions to ensure they can detect and block the latest ransomware variants.

Incident response

  • Containment and mitigation:
    • Isolating the affected computers from the network: This prevents the ransomware from spreading to other computers on the network.
    • Putting measures in place to discourage the spread of ransomware to other computers: This may include disabling network connections, blocking access to external media, and implementing antivirus software.
    • Backing up data: This ensures that the organization can recover its data if it is encrypted by the ransomware.
  • Communication:
    • Developing effective communication processes: This includes establishing a communication plan that identifies who is responsible for communicating with stakeholders and regulators, what information should be communicated, and when it should be communicated.
    • Alerting stakeholders and regulators: This includes notifying stakeholders and regulators of the ransomware attack, providing them with information about the attack, and recommending actions they can take to protect themselves.
    • Disseminating information about the incident: This includes providing information about the incident to the media, the public, and other interested parties.
  • Forensic analysis:
    • Determining the attack vector: This involves identifying the method used by the ransomware to infect the organization’s network.
    • Preventing similar breaches in the future: This involves implementing security measures to prevent future ransomware attacks, such as patching software vulnerabilities, implementing network segmentation, and training employees on cybersecurity best practices.
    • Learning from the attack: This involves conducting a post-mortem analysis of the attack to identify lessons learned and improve the organization’s security posture.

Ethical and public policy considerations

  1. Paying ransom:
    • Legal concerns: Paying ransom may violate anti-money laundering and anti-terrorism laws. These laws aim to prevent the financing of illegal activities and terrorist organisations. Ransoms paid to cybercriminals could potentially be used to fund such activities, leading to legal consequences for the organisation making the payment.
    • Moral and legal quandary: Paying ransom can create a moral and legal quandary for organisations. On the one hand, organisations may feel compelled to pay the ransom to protect their data and minimise disruption to their operations. On the other hand, paying ransom essentially rewards cybercriminals and encourages further attacks. Organisations must carefully weigh the ethical and legal implications of paying ransom before making a decision.
    • Additional cybercrimes: Paying ransom may inadvertently lead to additional cybercrimes. Cybercriminals may perceive the organisation as a lucrative target and continue to demand payments or carry out further attacks. This can create a vicious cycle of extortion and cybercrime.
  2. Transparency and disclosure:
    • Balancing Openness with Risks: Organisations face the challenge of balancing the demand for openness and transparency about cyberattacks with the potential risks associated with disclosure. Disclosing a cyberattack can damage the organisation’s image and reputation, erode customer trust, and invite legal challenges.
    • Legal requirements: Organisations may have legal obligations to report cyberattacks to regulatory bodies or law enforcement agencies. Failure to comply with these requirements could result in fines, penalties, or other legal consequences.
    • Risk to image and stakeholder relations: Disclosing a cyberattack can negatively impact the organisation’s image and reputation. It can also damage relationships with customers, partners, and investors, leading to lost business opportunities and decreased stakeholder confidence.

Conclusion

In the modern market where technology penetrates almost all spheres of human activity, cyber extortion is significant and a rather frequent threat due to the higher possibility of cyber information escalation. Thus, to mitigate the risks of performing such fatal attacks, everyone and any organisation must adhere to some set rules in cyber security and be careful. In the case of continuing computer programs, one has to install security measures, buy new software, educate the employees on the dangers, and establish continuity planning. Thus, awareness regarding cyber extortion should be raised, and appeals to actions related to technologies, police work, and common people should be made. Now it is the time to wake up and stand in unison to take up the fight and strengthen our ability to deal with the cybercriminals who wish to blackmail our digital/virtual assets.

References

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here