This article has been written by Chinwe Chukwuocha pursuing Diploma in US Technology Law and Paralegal Studies: Structuring, Contracts, Compliance, Disputes and Policy Advocacy and has been edited by Oishika Banerji (Team Lawsikho). 

This article has been published by Sneha Mahawar.​​ 

Introduction

In the first half of 2022, the world recorded about 236.1 million ransomware attacks with a predicted increase of 700% by 2025. The danger posed by ransomware is not abating. The costs and losses incurred from these attacks run into millions of dollars annually. Rather than abating, it has moved from targeting conventional devices to attacks on the cloud, data centre and enterprise infrastructure. It continues to evolve as the threat actor adopts strategies and implements components that make it more difficult for victims to detect the attacks or recover their data. It is one of today’s most disruptive forms of cyber attacks, putting victims out of business, forcing hospitals to turn away patients, and bringing entire cities, governments and municipalities to a halt. Derived from the terms ‘ransom’ and ‘malware’, ransom is money paid for the release of a thing or person held hostage while malware is any software designed to damage, disrupt or infiltrate a standalone file, computing system, server or an entire network of computing systems. Ransomware attacks are very common with attackers getting innovative in style, targeting individual and organisational computer systems and infrastructures. This article presents an overview of the concepts and technicalities of ransomware attacks.

Download Now

What is ransomware

Drawing from the literal meaning of ransom, ransomware is the same thing but in this case, the target is a computing system or device. Ransomware is software used to hack into a device by blocking access to it or its contents until a ransom is paid in exchange. It is a form of malicious cyber attack on a computing system. 

A ransomware attack was defined in paragraph 14 of Section 2240  of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as, an incident that includes the use or threat of use of unauthorised or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment. According to the Act, a ransomware attack does not include any event where the demand for payment is:

  1. Not genuine or 
  2. Made in good faith by an entity in response to a specific request by the owner or operator of the information system.

This definition qualifies a ransomware attack with the payment of ransom. These attacks are usually carried out for a purpose whether financial or not. Payment of ransom here will therefore cover situations where financial gains are not the purpose for the attack. This can be established from the definition of ransom payment in the same Act as, ‘‘a transmission of money or other property ….”. It then follows that there must be something to be exchanged for the data stolen or hacked for the offence of ransomware to be established. 

A ransomware attack exploits the vulnerabilities of the computing systems (this includes a PC, laptop, IOT endpoint, tablet, server or an entire network of computing systems) to gain access to it. The threat always comes with a deadline to meet the demands of the attacker after which depending on whether or not the demand is met, either the device is unlocked, access to files unblocked or files deleted, transferred, published or sold to an adversary or competitor.

These attacks have evolved over the years as attackers continue to devise several means to achieve their goals without detection. Technological advancements have also enabled the development of more creative ways to launch a ransomware attack. While users improve security measures for their devices and data, attackers also develop sophisticated means to exploit the vulnerabilities or loopholes in these security mechanisms by launching anonymous attacks.

Ransomware attacks might occur through the insertion of infected USB sticks into computing devices, pop-ups, social media, mal advertising (the introduction of a malicious code into the system through what appears to be a legitimate advertising network), infected programs or Traffic Distribution System (TSD) or self-propagation. 

Come to think of it, the ransom does not have to be in monetary terms and so these attacks do not always target financial payments. It may well be used to obtain anything of interest or great value to the attacker or those sponsoring the attack. It can be for disruption purposes, for example, to destabilise an individual, organisation or to harm a competitor or an opposition.  In lending credence to this fact, paragraph 13 of Section 2240 of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 defines ransom payment as “the transmission of any money or other property or asset including virtual currency, or any portion therefore, which has at any time been delivered as ransom in connection with a ransomware attack”. The words underlined lend weight to the fact that ‘the payment’ might not necessarily be financial in nature. This, therefore, expands the scope of implementation of the Act against any form of ransomware attack and payment.  

Beyond attacks on individuals and organisations, ransomware attacks can be launched on/against states. In these cases, the goal might not be financial but strictly political to disrupt state operations. It might also be deployed as a bargaining tool to protect state interests or acquire sensitive information from a state/country. In 2017, hackers from Russia launched a ransomware attack on Ukraine by encrypting systems. It was not for financial gains but to disrupt the system. If it can be used as a bargaining tool, states might want to deploy it for security-sensitive purposes, for example, to coerce a country to release a state prisoner. Now, that is really scary and something to be worried about beyond the present concerns. 

How does the attack work

It either blocks access to the computing device such that the user is locked out and denied access to the device or it encrypts specific files on the device such that the user is unable to access such files. In the former, the user is unable to gain access to the device, while in the latter, the user can gain entry into the device but is locked out of using files or data on the device. In both situations, the user is unable to access valuable content on the device until the ransom demand is met.

The attack usually comes in the form of a phishing email. When opened, the email exposes the system to infection from malicious software. A user is likely to open a phishing email because it is designed in a way to deceive the user to believe that it emanates from a trusted source. Once opened, it serves as a pathway for the infected file to gain access to the device and lock or encrypt files. In most common cases, the malicious files come as a downloadable pdf file, doc file or XLS file from a trusted source. This, therefore, reiterates the need for users to be extra careful in opening and downloading suspicious files.

With the evolution in technology, attackers have become creative by requiring payments that are almost impossible to trace (especially with cryptocurrencies) and adopting anonymous identities. 

Stages involved in ransomware

These attacks go through various stages to compromise a computing device. 

  1. Firstly, it infects the system. This is achieved by introducing malicious software into the system either by the attacker using a USB stick, or by the user ignorantly opening a phishing email, or clicking on a malicious digital advert, etc.
  2. Secondly, the malicious code locates the targeted files and is activated to encrypt such files thereby blocking access to the device or selected files. This then leaves the devices in the control of the hacker or attacker.
  3. Thirdly, a notification pops out on the screen notifying the user of the attack. This notification demands a ransom in exchange for removing, deleting, terminating the attack or decrypting the affected files. Failure to meet this demand might lead to deleting, or corrupting files in the devices or even selling sensitive data to adversaries or competitors. Most times, users comply with the demand to avoid these losses.
  4. Fourthly, the attack is terminated and the attacker deletes its digital footprint if the ransom demand is met. The ransomware contains pay-for-decryption information which describes the mode of payment. The pay-for-decryption information is retained for the user to gain access into the files after the demand is met. 

Types of ransomware attacks

The different types of ransomware attacks are broadly categorised into two namely:

  1. Crypto ransomware
  2. Locker ransomware

Crypto ransomware

Just like the name, this ransomware encrypts data. Encryption makes files unreadable. The cybercriminal or attacker uses an encryption mechanism to block access to files on the device. The encryption might be symmetric or asymmetric. Symmetric encryption uses a single key, which is a private key to lock or unlock encrypted files while asymmetric encryption uses two keys which are a public and private key to encrypt and decrypt files. Without access to the right keys, it is difficult to unblock the files. This is one way the attacker gains an upper hand over the victim.

Locker ransomware

This type of attack blocks the user’s access to the computing device. They are also referred to as ‘screen lockers’. The aim is to completely lock the victim out of the system such that all of its contents such as files, applications are inaccessible. The ransom demand is then displayed on the screen with a deadline for payment and payment instructions. While crypto-ransomware might attack only selected files or sensitive files, locker ransomware blocks access to the entire system.

Statistics of ransomware attacks 

Over the years, ransomware attacks have increased and gained momentum as cybercriminals continue to devise more sophisticated ways of unleashing malware into computing devices. Statistics reveal an alarming increase in the number of attacks.

The rise in these attacks has been popularised by the advent of cryptocurrencies such as bitcoin, ethereum, litecoin and ripple. This is because these digital currencies are encrypted in such a way that makes it difficult to trace thereby eluding detection. This feature makes cryptocurrencies a more appealing mode of payment for cybercriminals.

In 2017, about five million dollars was recorded as a ransom paid for the recovery of files, data and devices from these attacks. Propelled into 2020 when a  record of 304.6 million attacks were detected, this has continued to rise as the year 2021 witnessed more than double of these attacks with a record of 188.9 million attacks in the second quarter alone and 623.3million attacks recorded worldwide at the end of the year. 

Most attacks have been attributed to:

  1. Inadvertent user action example clicking on malicious emails. This resulted in 0.42% of the attacks recorded in 2012.
  2. Negligence of managers or administrators from risks arising from software patches etc,  resulting in 43% of attacks in 2021.
  3. Activities of hackers dominate the attacks with a record of 65% in 2021.

Major attacks target Windows, Mac-based and Linux devices. There are also significant attacks on health and financial institutions.

Predictions into the future show an increase in the cost of ransomware attacks above $42 billion by the end of 2024 and over $265 billion by 2031. There will likely be a 700% increase by 2025 with a minimum of 75% organisation as targets. It is also envisaged that by 2025, 30% of countries will pass regulations guiding payments, fines and negotiations on ransomware.

Legal analysis of ransomware attacks

The law has always played catch up with technology and ransomware cases are not left out.  In most jurisdictions across the world, there are no specific laws on ransomware attacks. These attacks however involve some traditional criminal activities for example, theft, extortion, defamation, fraud and as such in most jurisdictions, the regular penal and criminal legislations apply to them where there are no specific laws on the issue.

In the United States for instance, the Federal Computer Fraud and Abuse Act (CFAA) 18 U.S.C 1030, is the primary legislation on cybercrime. The Act provides for both criminal and civil penalties for cyber offences. This includes for:

  1. Unauthorised access to computer systems, 
  2. Knowingly accessing a protected computer without authorization with the intent to defraud. This attracts imprisonment for up five years
  3. Transmitting threats of extortion, specifically, threats to damage a protected computer and threats to obtain information or compromise the confidentiality of information (imprisonment for up to one year)
  4. Cyber extortions relating to demands of money or property (imprisonment up to five years). 

From the above provisions, it is clear that there are common ingredients in the offences of cybercrime and ransomware as the latter is in fact a subset of the former. This explains the ease with which the provisions of cybercrime laws across the globe can be used to address cases of ransomware attacks as seen in provisions of the  Federal Computer Fraud and Abuse Act (CFAA) reproduced above. If these ingredients are proven in a ransomware attack, then the CFAA can be adopted to punish offenders in the United States.

However in March 2022, President Biden signed a new cyber security incident reporting mandate into law, the Strengthening American Cybersecurity Act 2022. The Act embodies two legislations viz, the Federal Information Security Modernization Act of 2022 and the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

The Act is aimed at strengthening the ability of critical national infrastructure to prevent and quickly respond to cybersecurity attacks. It requires Critical National Infrastructure (CNI) owners to report ransomware attacks within 72 hours and ransomware payments within 24 hours to the Cybersecurity and Infrastructure Security  Agency (CISA). It further directs the CISA to establish a new programme to warn organisations of new vulnerabilities used by ransomware operators and it set up a joint ransomware taskforce to co-ordinate federal and industry efforts to disrupt the activities of cybercriminals. This new law will go a long way to keep organisations at alert on cyber security issues in the country. 

Other important highlights of the Act include:

  • The rapid centralised aggregation and dissemination of real-time attack data. This entails information sharing and timely reporting of ransomware attacks especially as ransomware groups and attack methods become more sophisticated and frequent. It ensures information dissemination in real time which will be critical to mitigate these attacks.
  • The process of ransomware attack reporting entails having the right reporting tools and systems in place to address these attacks. The Cyber Incident Reporting Act which is embodied in this legislation mandates the timely report of these attacks.

In Nigeria also, there are no specific laws addressing ransomware attacks, but as is the case in the United States, the Cyber Crimes Act (Prohibition, Prevention etc) Act, 2015, covers offences of such nature. Sections 6, 8,14,16, 32 of the Act which prohibits unlawful access to a computer system, system interface, tampering with critical infrastructure, cyber fraud and spread of computer viruses or malware are directly applicable to ransomware attack cases and punishable by fines or terms of imprisonment ranging from three (3) years and one million naira respectively depending on the offence. In addition to legislation, case laws are emerging and contributing to the growing body of laws on ransomware attack cases across the globe. 

In 2022, a US court delivered a laudable judgment prohibiting by way of injunction the use and unlawful disclosure of data obtained from a ransomware attack to third parties. In XXX vs. Persons Unknown (2022) ENHC 2776 (KB), the Claimant’s databases were attacked, files encrypted and made inaccessible to the Claimant with a ransom note notifying it of a cyber attack. The attackers also demanded an 8 million dollars ransom in exchange for decryption and non-disclosure of data. The Claimant provides technology-led solutions for projects of natural significance so the data was highly classified, security-sensitive and protected by the Official Secrets Act 1989, hence the identity of the claimant was made anonymous. The court gave an injunction prohibiting the use of data obtained from the attack. 

This decision is laudable for proceeding and making orders against unknown persons as ransomware attackers are usually persons unknown or with disguised identities. It however begs the question of the enforceability of the order, how practicable is the enforcement of this judgment order? 

It is trite law that orders of the court should not be made in vain or speculative in nature. The order is commendable and will only be enforceable when the identity of the attackers are known and will also be valid to proceed against the recipients of data obtained from the attack. It will therefore be useful against future misuse or sale of the information to third parties.

Question of jurisdiction

Another issue raised in ransomware attack cases is the question of the jurisdiction where the fraud is international in nature. Earlier in the article, we have established that these attacks might be launched against critical government infrastructure from another state simply to disrupt operations or to use the information obtained as a bargaining tool for another state. Where this is the case and data was obtained for political espionage,

  • How enforceable is this judgment in the jurisdiction of another country or state?
  • To put it in a clearer perspective, what if the sensitive data obtained in XXX v. Unknown Persons (2022) (discussed above) is intended to be used outside the United States of America?

This then raises the issue of state sovereignty in international relations which is beyond the scope of this work. However, the NetWalker ransomware attacks might shed some light on the jurisdiction of the state in combating or handling international crime of this nature. In that case, a collaborative effort between law enforcement officials across states led to the arrest of the attackers. 

Payment of ransomware

One critical aspect of ransomware attacks is the payment of ransom. In most jurisdictions, payment of ransom to criminals involved in kidnapping or hostage situations are not encouraged. Should this same approach be applied or adopted in ransomware attacks  especially where the payment of ransom by the victim is one remote way of assurance of the recovery of stolen data or prevention of its disclosure to third parties?

Well, while there is no general or outright prohibition of ransom payment in the US and UK, however, government and law enforcement officials advise against it. Guidance released by the UK National Cyber Security Center (NCSC) states that UK law enforcement does not encourage, condone or endorse the payment of ransom demands. Notwithstanding this directive, Section 15(3) of the UK Terrorism Act 2000, makes it an offence for anybody to provide money or other property, or invite another to provide money or other property, or receive money or other property with the intention that it will be used, or has reasonable cause to suspect that it may be used for purposes of terrorism.

The Act defines terrorism as the use or threat of one or more of the actions listed below to influence the government, or an international governmental organisation or to intimidate the public. The actions constituting terrorism identified by the Act include any action designed to seriously interfere with or seriously disrupt an electronic system. This definition applies to ransomware attacks which involve the disruption of an electronic system to influence or intimidate an organisation, government or the public. A combined reading of these provisions, therefore, makes a party liable for ransom payment where he knows or reasonably suspects that it will be used for terrorism financing. The party may, however, seek the consent of the National Crime Agency (NCA) prior to carrying out a transaction that will likely result in an offence.

The UK Economic Crime (Transparency Enforcement) Act 2022 also makes it a strict liability offence to make payments to sanctioned individuals or entities like terrorist organisations whether or not the victim has knowledge of the nature of the group or organisation. 

From the foregoing analysis, it is evident that the legal landscape in ransomware attacks is gradually taking shape and evolving. From injunctions against unknown attackers to internationally coordinated actions against the crime, states are definitely poised to put an end to this crime or at best mitigate it.

Prevention and detention 

While it might not be very easy to detect or completely eliminate ransomware attacks considering the sophisticated and evolving nature of the same, there are organisations committed to developing strategies and techniques to detect and avert these attacks. 

Prevention techniques or measures include the setting up and testing of backups, and also applying ransomware protection in security tools such as email protection gateways and endpoints. Intrusion detection systems (IDSs) are also used to detect ransomware command and control and to alert against a ransomware system calling out to a control server. It is also important to train users on these techniques. 

A fallback measure where other preventive defences fail is to stockpile bitcoin. This is commonly used where immediate harm can be brought upon customers or users at the affected organisation. 

Conclusion 

Ransomware is one of the most devastating forms of cybercrime. Attackers have successfully extorted huge sums of money (running into millions of dollars) from their victims with the victims willing to pay to avoid exposure or loss of data. It locates and exploits the vulnerabilities in the system, gains unguarded access to the business, infiltrates and progresses inside the system, gets unknown access and control of the data, steals valuable and critical data or locks out the user from the device and then comes the demand for ransom. Predictions reveal an astronomical increase in ransomware attacks and this demands adopting the right measures and techniques some of which are mentioned in this article to detect, prevent or minimise this threat. It is, therefore, time to brace up to the challenge and address this issue head-on. The Strengthening the American Cybersecurity Act has laudable provisions directed at addressing ransomware attacks for example timely reporting of the attacks. Most covered entities or victims of attack however might not be quick to report these attacks for fear of lawsuits arising from a breach of the data in their custody once the attack is publicised. This is where cyber insurance, an emerging concept to protect institutions whose data have been compromised by cyber attacks in this case ransomware attacks in the event of a lawsuit becomes important. 

References 


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/lawyerscommunity

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

LEAVE A REPLY

Please enter your comment!
Please enter your name here