Ransomware is not a new threat, it has been around for at least 15 years, but it has become a trending and damaging one. The cybercriminal’s objective of ransomware is to hold computers and in some cases networks hostage in return for some sort of electronic payment. No one is immune, including corporations, universities, hospitals, critical infrastructure and even cities (i.e. Baltimore, Atlanta) to these incursions.
Many criminal gangs are now using ransomware as a weapon of choice as the risks are low of being prosecuted and the monetary rewards can be high. The threat in itself is alarming. Ransomware already has had a devastating impact on companies, and localities, and poses a real threat to human lives, such as hospitals who can’t treat patients.
It is estimated that there are now 124 separate families of ransomware and hackers have become very adept at hiding malicious code. Success for hackers does not always depend on using the newest and most sophisticated malware. It is relatively easy for a hacker to do. In most cases, they rely on the most opportune target of vulnerability, especially with the ease of online attacks.
A key question in the cybersecurity community and a growing area of concern is how do we stop hackers from using ransomware as a weapon of choice?
Perhaps one answer to prosecute them and hold them accountable for their crimes.
There are approximately 2.3 million people in American correctional facilities across 1,719 state prisons, 109 federal prisons, 1,772 juvenile lockups, 3,163 local jails, and 80 Indian county jails as well as military, immigration, civil, state psychiatric hospitals and prison in US territories, which results in the US having the highest incarceration rate in the world. Not only that, there are an additional 3.6m people on probation and 840k on parole. That is almost 7 million people in total. (Prison.org, n.d.).
We have tried to search for verified statistics on incarcerations for cyber crimes but aren’t finding much. How do we get reliable statistics for the conviction and sentencing of cybercriminals who are using ransomware as their weapon of choice?
Here are a few examples we chose to demonstrate how the Justice system approaches financially motivated white-collar crime and armed robbery. In December of 2018, a 31-year-old male with no prior arrests was convicted and sentenced to five years in prison for defrauding 18 investors out of $869k in a start-up scam. The same month, a 54-year old male with two prior convictions was sentenced to four consecutive life sentences for robbing three convenience stores in a 24-hr period, armed with a knife (no one was hurt). (htt) We can correlate that the threat of physical harm (and recidivism) substantially increases the sentence. Certainly, shutting down critical systems in a hospital is analogous to threatening physical harm for financial gain, even if patients were not hurt. Though, what if a patient were to suffer physically or die? What would be the appropriate law enforcement response or court sentence?
Unfortunately, we cannot locate much of any data on law enforcement support, conviction statistics, or sentencing. We searched the FBI Uniform Crime Reporting (UCR) Program, the Bureau of Justice Statistics, and broad internet searches. Below is the typical result we found:
The best data we did locate, analyzed crime from 2006-2010:
“Data from the United States Department of Justice (2010) shows that for the five-year period of 2006 – 2010 a total of 1,177 individuals were convicted and sentenced for cyber crimes. Of these, only 51.7% (n=608) received a sentence including any prison time. Of those receiving jail time, one-third (34.9) was sentenced to 12 months or less and only 6.7% were sentenced to more than 60 months of incarceration.” (cybercrimejournal.com, n.d.).
These statistics represented an average of 152 per year jailed convicts which is .006% of the total number of people incarcerated in the US during that time frame. Presently, the industry is expecting Cybercrime damages to reach $6 trillion by 2021. This being the case, why aren’t the FBI, Bureau of Justice, and other agencies tracking the crimes and convictions? Is it because they aren’t arresting and convicting these criminals? How can we deter this type of crime if our law enforcement agencies aren’t even attempting to deter ransomware-based crimes?
In the world we live in, the finger will likely begin to be pointed at the victims versus the criminals. So, the question arises as to whether it should be illegal for the victims to pay the ransom. We can confidently state that every dollar paid to the cybercriminals goes into funding their next attack(s). Unfortunately, given their success rate and lack of consequences for their actions, there is no slowing down and the next victim is likely to be a local underfunded hospital who is forced into denying care to their patients.
Becoming the next victim can be prevented by simply implementing an anti-malware solution. Many vendors today even guarantee against ransomware attacks if using their software. We believe this is a basic and fundamental responsibility of any organization, just as seat belts and fire alarms are fundamentals in their respective domains. Maybe it is time for the government to mandate anti-malware to be on all systems if the leaders of those organizations won’t even consider the minimal protections as we have mentioned. However, if we don’t start holding companies accountable for securing their environments, and of our justice system for implementing very tough consequences for the criminals, the damages will exponentially increase, not by the year but by the day. Prosecuting those who put our critical infrastructure, medical facilities and cities at risk need to be law enforcement and judicial priority – and a leadership priority.
Co-Written by Kathie Miley
Chief Experience Officer