Lawmakers in the state of Maryland are considering making it a criminal offense to be in possession of ransomware.
A bill was introduced on Tuesday, January 14, that seeks to penalize Marylanders who knowingly possess the malware and intend to use it to cause harm. The bill also grants victims of a ransomware attack the right to sue the hacker for damages in civil court.
The state has already outlawed the use of malicious technology to extort money out of victims. Senate Bill 30, which was heard before the Senate Judicial Proceedings Committee last week, would make it a misdemeanor to be in possession of ransomware with the intent to use it in a malicious manner.
Any person convicted of this misdemeanor could face 10 years in prison and/or a fine of up to $10,000.
The proposed law would not apply to cybersecurity researchers who may be in possession of ransomware for innocent research purposes.
Senator Susan Lee, who is the lead sponsor of the bill, said that it "gives prosecutors tools to charge offenders.”
Assuming a remarkable level of naiveté on the part of cyber-criminals who use ransomware to extort vast sums of money from organizations and individuals, Lee said that it was "important to establish [the bill] so criminals know it’s a crime."
In January 2019, the Salisbury, Maryland, police department suffered a ransomware attack that prevented officers from accessing the department's computer network. Four months later, Baltimore, the state's largest urban conurbation, was hit by a ransomware attack that is estimated to have cost around $18m.
Possessing ransomware is already a criminal offense in several US states, including Michigan and California. The fight against ransomware was led by Wyoming, which in 2014 became the first state to make it illegal to possess ransomware, spyware, adware, keyloggers, and several other types of malware.
There's no denying that ransomware is causing problems in the United States. In 2019 alone, this particular strain of malware impacted at least 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges, and school districts, with estimated costs of $7.5bn.
According to a ransomware report by cybersecurity firm Emsisoft,"the only way to stop ransomware is to make it unprofitable, and that means the public sector must practice better cybersecurity so that ransoms need not be paid."