The State of Maryland to Criminalize Ransomware Possession

• It is already a crime in Maryland to use ransomware in a way that costs victims money.
• Researchers and experts collectively believe that the only way to stop ransomware is to make ransomware operators unprofitable.

State lawmakers in Maryland recently heard arguments on a bill that makes the possession of ransomware a criminal offense.

What happened?

A bill (Senate Bill 30) was proposed in Maryland last week that, if formalized, will enact penalty on any Marylanders who knowingly possess ransomware to cause genuine harm.

• It may carry a penalty of up to 10 years imprisonment and/or a fine of up to $10,000.
• The bill also grants a victim of a ransomware attack the right to sue the hacker for damages in civil court.
• The proposed law doesn’t (presently) apply to cybersecurity researchers who could often be found in the possession of ransomware for research purposes.

The lead sponsor of the bill, senator Susan Lee said that it "gives prosecutors tools to charge offenders.”

Is the law the need of the hour?

In states like Michigan and California, the possession of ransomware is a declared criminal offense.

• A year ago, in January, the Salisbury, Maryland police department suffered a ransomware attack that locked them out of their computer systems.
• After four months, Baltimore's largest urban area was hit by a major ransomware attack. It is estimated to have cost the city around $18 million in damages.

Moreover, the state of Maryland already has a law in place against exploiting malicious technology in a way that costs victims money.

A look back at the history

It is not a question anymore whether ransomware is causing problems in the U.S. In 2019, the U.S. was hit by an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, and 1233 schools. The potential cost of these attacks was estimated at $7.5 billion.

Expert insights

Researchers and experts collectively believe that the only way to stop ransomware is to make ransomware operators unprofitable. To enable this, organizations must practice better cybersecurity to avoid paying ransoms.