This article is more than 1 year old
Maryland: Make malware possession a crime! Yes, yes, researchers get a free pass
Hardened cybercrooks must be shaking in their boots
A US state that was struck by a ransomware attack last year is now proposing a local law that would ban possession of malicious software.
Local news website the Baltimore Fishbowl reported that Maryland's Senate heard arguments on Senate Bill SB0030, a proposition that would "label the possession and intent to use ransomware in a malicious manner as a misdemeanor" punishable with up to 10 years in prison and/or a $10,000 fine.
A local US Democratic Party politician, Susan Lee of Montgomery County, is the bill's lead sponsor. She told a local news agency: "It's important to establish so criminals know it's a crime," Sen. Lee said. "[The bill] gives prosecutors tools to charge offenders."
Baltimore, the largest city in Maryland, was struck twice by ransomware in 2018 and 2019. Last year's infection temporarily closed down various public sector institutions including the city council, mail servers for its police force and its legislative reference office, as we reported at the time.
A block-caps line of the bill itself (PDF, 5 pages) says: "THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES."
Brett Callow, a threat analyst from infosec biz Emsisoft, opined to The Register that this move to criminalise intentional possession of malware by miscreants is unlikely to "scare the pants off the anonymous cybercriminals who are already breaking myriad international laws and whose extortion schemes are earning them billions".
He said: "First, I doubt that too many people in Maryland actually possess ransomware (except for the cities which have been reluctant recipients of it, that is). Second, making something illegal doesn't help unless you can catch and prosecute those who break the law."
Callow also told El Reg a cautionary tale about a company called Southwire, which was struck by a ransomware attack. The attackers threatened to publish the stolen data unless Southwire paid them off; Southwire went to a local (US) court and obtained a takedown order on their website as well as a legal demand to return the data.
The attackers, part of the Maze ransomware gang, responded by simply mirroring their site in China, publishing what they said was 10 per cent of the stolen data and threatening to keep publishing it in 10 per cent packets unless the company paid up, as BleepingComputer reported.
Legal remedies for ransomware only work if you know who your attacker is and what jurisdiction they're in. Strangely enough, most ransomware gangs go to great lengths to ensure their victims can't work this out. ®