Legal and ethical implications of ransomware

Ransomware isn’t going away because people who get hit continue to pay. So don’t be one of those people who gets hit.

Experts estimate cybercriminals netted $1B in 2016 and there’s no sign of stopping as ransomware continues to be a highly lucrative, albeit unethical, business. As profits continue to soar, these entrepreneurial hackers continue to evolve with new ways to spread their wares, infect endpoints, steal valuable data, and demand money in exchange for its (hopefully) safe return. And once they find a new method to attack and profit, we see it rapidly used by other copycat attackers hoping to piggyback on the financial windfall.

One form of ransomware, dubbed “Popcorn Time,” (no relation to the P2P media software) was discovered by MalwareHunterTeam and introduces the concept of pyramid schemes to the world of ransomware. Popcorn Time locks your computer files until you pay the attacker a full bitcoin (around $800 USD at the time of this writing) or infect others through a link. If two or more of your infected victims pay the ransom, the attackers will decrypt your files for you. In the past, a common business model among attackers was to pay affiliates or middle men to spread infections on behalf of the attacker. This has been common for many years, and mirrors common legitimate business practices. In the case of Popcorn Time, the victims themselves turn into affiliates for the attacker.

It’s easy to picture situations where this will work. For example, a person with very little available funds, and who is desperate to get his/her data back, may not consider the ethical (or legal) implications of infecting friends or colleagues. The person may not even realise what he/she is doing. There are many uninformed people who will blindly follow instructions and send infection links to their entire social world. That’s bound to hook some new fish.

Let’s look at Popcorn Time from another angle. You also can imagine situations where someone gets hit with ransomware and then purposefully decides to pass the infection along to a handful of people they don't necessarily like. A business competitor or former boss, perhaps? An ex-boyfriend or girlfriend? The user would essentially kill two birds with one stone – spread the ransomware to exact some measure of revenge on someone, and if the new victims pay the ransom, get out of jail (so to speak) at the same time.

Liability and responsibility

But either scenario above opens a laundry list of legal and ethical questions. If a ransomware victim can prove a friend or colleague was the source of the initial infection, would the “spreader” be held civilly or criminally responsible for what essentially amounts to a new way of extortion?

Let’s pretend you became infected with ransomware similar to this and decided to send out infection referral links to everyone in your email address book. What if one of those infections hit a corporate network? What if that infection didn’t just attack the files of the single target victim, but the potentially thousands of files the target has access to across a corporate network? Clean-up could easily be in the thousands upon thousands of dollars. If a particularly skilled or savvy security professional could determine you sent his or her employee the ransomware, what’s to stop that company from starting civil action against you to recoup losses? Imagine if the infection really took hold inside that corporate environment due to poor security practices and took down some critical piece of infrastructure? You can bet someone will want answers.

On the legal side, what might happen if you were responsible for spreading an attack? In the United States, the Computer Fraud and Abuse Act (CFAA) will most certainly apply. 18 USC 1030 (5) says: “Whoever knowingly causes the transmission of a program… and as a result of such conduct, intentionally causes damage…” – and the penalties can result in as much as 10 years in prison.

In the United Kingdom, section 3 of the Computer Misuse Act would likely apply as well. The Act clearly states that a crime is committed if a person “does any act which causes an unauthorised modification of the contents of any computer.” Similar to the CFAA, a conviction under this Act can land you in prison for up to 10 years. Beyond the USA and the UK, though, there are bound to be many other laws and regulations that would apply if you took the low road and tried infecting others.

But beyond the legal implications of spreading infections is the ethical position facing the victim. Is it ethically sound to attempt to infect others just to get yourself out of a bind? Is there any scenario where one could say they acted ethically? Not likely. Besides, it’s just a really awful thing to do, even if you don’t like the people you’re infecting.

Conclusion

Most law enforcement groups make it clear that you should never pay the ransom, as the vast majority of the cash is reported to fund criminal organisations in places like Eastern Europe, Russia and Southeast Asia. Of course, the reality is never black and white: we all know of cases where people, companies, and even law enforcement agencies themselves, have paid up to restore access to data they can’t afford to lose.

Will the shift of recruiting the victims to be the affiliates themselves stick around? Why not, it provides attackers with another method of making cash quickly, and takes little effort to implement. But how about we take some time to discuss stopping ransomware, rather than addressing it. Stop opening unexpected attachments in your emails. If something arrives from someone you know, and you weren’t expecting that Word doc or Excel sheet? Call the sender and ask them if they sent it. Stop clicking on unexpected links in emails. Go directly to the site itself. And if the worst happens (and we all have mistakenly clicked or opened something we likely shouldn’t have) – have cold backups of the files and data most critical to you.

Ransomware isn’t going away because people who get hit continue to pay. So don’t be one of those people who gets hit.

Richard Henderson, global security strategist at Absolute
Image source: Shutterstock/Carlos Amarillo