States Deferring on Ransomware and Cryptojacking Bans

A few short years ago not many people had heard of ransomware or cryptojacing, growing variants of cyber crime in which computers are either locked down by a virus which demands payment in order to unlock the affect system's files or hijacked to mine for cryptocurrencies.


That is starting to change. Since 2012, ransomware has exploded in popularity and is now responsible for the largest attacks in internet history, while cyptojacking is starting to become even more popular than that.

The relative novelty of these cybercrimes means that in many cases the laws have yet to catch up - while all 50 states have laws against unauthorized computer access, only a few states have made possessing or using ransomware a crime and none have explicitly addressed cryptojacking.

The first instance of a law against ransomware was back in September of 2016, when California modified its laws on extortion to include ransomware attacks, subjecting offenders to 2-4 year jail terms.

Wyoming, Texas, and Connecticut passed related laws in 2017.

Wyoming created the new felony crime of 'computer extortion', making the use of ransomware punishable by up to 10 in prison. Connecticut did the same, though only assigned a maximum of 3 years behind bars. Texas was more restrained - 'electronic data tampering' is only a misdemeanor in the Lone Star State unless the amount of the ransom is particularly high.

Michigan joined in with two laws prohibiting possession of ransomware this earlier year punishable by up to 3 years in jail, but so far only these five states have enacted laws to address this phenomenon.

That may change, but not only have very few states even looked at these issues, multiple efforts to put such laws on the books have failed. Two Maryland bills which would have take up the matter died in committee before the legislature adjourned. Vermont introduced a bill in February of 2017 which was referred to a committee that never took it up.

Pennsylvania is considering a bill introduced August 9th of 2018 which would make the use of ransomware a third degree felony, but no other state has taken any recent steps on this subject.

Existing laws in most states could likely be used to prosecute the use of ransomware and illicit cryptojacking. But without explicit prohibitions on the books, the nature of the legal system makes securing convictions much less likely.

Cryptojacking, for example, was originally designed as a legal alternative to advertising as a way for website to generate revenue and, according to Robert Clinton at the blog Cyberbeartracks, "there are certainly means of gaining authorization for browser-based mining that would appear to prevent any illegality."

Laws are often slow to catch up with new trends, but hopefully more states will take action on these before another WannaCry strikes.

In the meantime, considering holding some bitcoin in reserve in case you're hit with a ransomware attack, and keep an eye on your devices' performance for hints that you may have been cryptojacked.

Follow us on social media for regular updates on new and changing laws!