This article has been written by Kiran Krishnan, pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.
Table of Contents
Since the beginning of the previous decade, ransomware attacks have increased significantly thereby enhancing the significance of security practices by companies all over the world. Many sectors have been severely affected by ransomware attacks including hospitals, financial services companies, colleges, universities, and government agencies, among others. The attackers target the aforesaid sectors for various reasons such as:
(i) Hospitals, financial services companies constantly require access to their files and will most probably promptly pay the ransom to restore access to such files to avoid any further delay,
(ii) Colleges, universities commonly are not known for having high level security measures or a dedicated security team, but they may have a diversified user base.
To avoid ransomware attacks, companies are advised to have good security practices in place. Let us now understand what ransomware is and how it attacks or gets access to a computer belonging to someone else.
What is Ransomware?
Ransomware is a type of software that is primarily malicious and whose objective is to attack an individual’s or company’s device or computer system by certain means and restrict them from accessing their computer system. Ransomware fundamentally encrypts another device’s files and will decrypt and enable restoring access of the files to the victim only if they pay a sum of money.
Ways in which ransomware can access a computer
- Phishing or malicious attachments: In this case, the attacker will draft an email disguised as a trusted source and will add an attachment with the email. The attachment may contain a word document or a file in portable executable (PE) format. The recipient will find the mail so believable that he or she will open the email and then the attachment. The moment the file is downloaded and opened, the system or device gets infected.
- URLs that are malicious: This method is similar to phishing but here, emails will contain malicious URLs. The email will be disguised as a trusted source and will seem believable. The moment the recipient opens the URL, the link will download a harmful file or ransomware on the internet or web and the device will be infected.
- Aggressive type of ransomware: There are some types of ransomware such as Exploit kits which aim to exploit or take advantage of loopholes in the security measures of a company. Exploit kits are primarily toolkits that hide in a site. When the person visits the site that is compromised, he or she will notice advertisements. Some or many of these advertisements contain harmful code which when selected will redirect you to the Exploit kit page. Once the person reaches that page, a malicious code is executed, and the computer system gets infected.
Ways to prevent ransomware
- The person or company must build safeguards for data security. To achieve this and make sure the security tools are such that they can defend against any kind of malware, the company must keep the operating system of its computers patched and updated.
- The company or any person or employee in the company must not install an unknown software without being aware of what it is about and how it functions.
- The company conducts an induction program which includes educating the employees and other persons about ways and methods in which attackers employ ransomware.
- The company must advocate using file name extensions on the computer systems. This is one of the original functions of Windows. It provides details about the type of file and this helps the person know whether the file is harmful or not.
- The company must address any breach of physical or technical safeguards.
- The company must use anti-virus software and set it to update automatically. The anti-virus software must be such that it can detect malicious software, files or programs like ransomware.
- The company must maintain up-to-date firewalls, especially for internet access. The function of a Firewall is that it protects the computers from unauthorised access including ransomware attacks.
- The company must backup its computer systems on a frequent basis. This will certainly not help defend against a malware, but the company will at least have access to its files and the attack will not bring a stop to its daily operations.
- The employees or any person of the company must not answer or reply to an email that is suspicious including not clicking on links in emails. Besides, if such employees receive calls that are suspicious, they must contact the company’s IT team for any assistance or guidance
- All emails received on each of the company’s computer devices must be scanned using content scanning technology so that any possible threat that may be contained in it either in the form of an attachment or not will be blocked.
- The company must employ strong and effective spam filters that will help in restricting malicious emails to be delivered to the computer devices.
- The company must ensure that it deactivates the windows feature “autoplay” on all its devices. When autoplay is on, it automatically runs the content on a USB drive, memory card or a CD as soon as the concerned drive is inserted. This activity allows the ransomware to access the user’s computer without any issue.
- The company must implement a two-factor authentication for VPN users.
- The company must have data backup encrypted.
- The company must store electronic client information on a server that can be accessed only with a password. Such a server must be kept in a physically secure area.
Laws across the world governing ransomware
Information Technology Act, 2000
Although cyber-crime is not defined under the Information Act, 2000 (“IT Act”) or the IT Amendment Act, 2008, the IT Act has the power to deal with cyber-crime since provisions related to cyber offences or crime are stated under the IT Act. Since cyber-crime is an offence involving targeting or attacking a computer or computer network, definitions of terms including computer, computer network, computer resource, data, and information, among others under the IT Act are of essence. The IT Act came into force in 2000.
- Section 43 of the IT Act provides recourse in the form of compensation to an owner of a computer or computer system when a person or entity damages or destroys the computer or computer system belonging to such owner.
- Section 66 of the IT Act punishes the person who dishonestly or fraudulently commits the act referred in Section 43, with imprisonment for a term extending to 3 years or with fine extending to Rs. 5 lakh or with both.
Section 66B, 66C & 66D of the IT Act punishes a person who:
- Section 66B: by dishonest means, receives or retains stolen computer resources knowingly, with imprisonment for a term extending to 3 years or with fine extending to Rs. 1 lakh or with both.
- Section 66C: by fraudulent or dishonest means uses the electronic signature or password of another person, with imprisonment extending to 3 years and with fine extending to Rs. 1 lakh.
- Section 66D: by means of any communication device or computer cheats by impersonation, with imprisonment extending to 3 years and fine extending to Rs. 1 lakh.
- Section 66F: (a) intends to threaten the unity, integrity, security, or sovereignty of India or (b) deny access to any person authorised to access a computer or (c) attempt to penetrate or access a computer without authorisation or (d) introduce a computer contaminant like virus, Trojan, malware etc. and cause death or injuries to person or damage to or destruction of property etc. with imprisonment for life.
Indian Penal Code, 1860 (“IPC”)
The IPC also punishes those who are involved in acts of identity thefts and cyber fraud. The concerned sections under the IPC include Section 464 (Making a false document or false electronic record), Section 465 (Punishment for forgery), Section 468 (Forgery for purpose of cheating i.e. forged electronic record), Section 469 (Forgery for purpose of harming reputation i.e. forged electronic record), Section 471 (Using as genuine a forged document or electronic record).
Electronic Communications Privacy Act (ECPA)
The ECPA provides that any person who intentionally intercepts wire, oral or electronic communications shall be punished with imprisonment of up to 5 years or with fine of up to $250,000 (for individuals)/ of up to $500,000 (for organisations) or with both. Therefore, if ransomware is employed to intercept personal information stored in texts, video messaging, emails or any other communication, the aggrieved party or victim can take recourse under the ECPA.
Note: The term “electronic communications” encompasses radio and data transmissions generally but excludes certain radio transmissions which can be innocently captured without great difficulty. Even when a radio transmission meets the definition, Title III’s general exemption may render its capture innocent.
Computer Fraud and Abuse Act (CFAA)
Section 1030(a)(5) of the CFAA provides that any person who:
- (a)(5)(A): knowingly causes transmission of a program, information, code, or command and as a result of such conduct, intentionally causes damage without authorization, to a protected computer. OR
- (a)(5)(B): intentionally accesses a protected computer without authorization, and as a result, recklessly causes damage. OR
- (a)(5)(C): intentionally accesses a protected computer without authorization, and as a result causes damage or loss.
shall be punished with criminal penalties according to penalty summary for Section 1030(A)(5).
Ransomware has grown gradually over the years. What started as a virus locking computer screens with a message or inappropriate image displayed on the screens has gradually resorted to using more sophisticated forms of attacks which creep into computer devices through emails including email attachments or URLs in emails or advertisements with malicious codes on websites. With every increasing day, attackers are becoming more creative and effective in employing different social engineering techniques to manipulate a company person into downloading the malicious file or providing the attacker personal information. This is a cause for concern for companies and therefore, companies should work proactively to implement or introduce security awareness programs on a frequent basis. Such programs should include periodic meetings which include speeches about the importance of security, different types of messages of phishing used by attackers. Having effective policies and procedures in place will not only ensure the companies’ operations are performed in a systematic manner but also help establish trust in the companies’ clients.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: