The Law and Politics of Ransomware.

• Author: Lubin, Asaf

TABLE OF CONTENTS I. INTRODUCTION 1179 II. THE PROBLEM OF RANSOMWARE 1183 A. Defining Ransomware 1183 B. Existing Regulation and its Limits 1186 1. Domestic Law 1186 2. International Law 1192 C. The Causes of Ransomware Underenforcement 1196 1. Information Asymmetries 1196 2. Clashing Jurisdiction 1197 3. The Tragedy of the Commons 1200 4. Managerial Deficits 1200 5. Forensic and Diplomatic Challenges 1202 III. REDEFINING THE CRIME OF RANSOMWARE 1203 A. Ransomware and the Outlawry of Hostis Humani Generis 1203 B. Outlawing by Extension and Analogy or by Treaty Design? 1205 1. New International Instrument 1206 2. Analogy and Extension 1207 IV. BUILDING THE RANSOMWARE ENFORCEMENT TOOLKIT 1210 A. Naming and Shaming Harboring States 1211 B. Extraterritorial Enforcement and Prosecution 1212 C. Enhancing Cybersecurity at Home 1213 V. CONCLUSION 1215 I. INTRODUCTION

On 10 June 2019, the quaint town of Lake City, Florida suffered a major ransomware attack, bringing most municipal activities and services to a halt. (1) An employee of the town opened a malicious email with a compromised document that infected the city's computers with a ransomware. (2) Beginning at 7:30 am, "the computers did not work and neither did the telephones. Even cellphones were wiped of contacts.... Nearly all of the city's systems--including its water and gas payment systems--were unusable. The copy machines, also linked to the computer network, did not work." (3) With about sixteen terabytes of information effectively locked and online payment systems inoperable, the city was running blind. (4) City employees were forced to go back to "paper receipts and hand-written building permits." (5)

Ransomware attacks are designed to deny access to a computer system or data, usually by encrypting it, until the victim pays extortion payments to the attacker. (6) The ransomware used in Lake City's attack was the Ryuk malware. (7) According to the United Kingdom's National Cyber Security Centre (NCSC), "Ryuk was first seen in August 2018 and has been responsible for multiple attacks globally." (8) The NCSC further determined that Ryuk is "often not observed until a period of time after the initial infection--ranging from days to months--which allows the [malicious] actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack." (9)

Just like clockwork, days after the initial infection, a ransom demand made its way to Lake City officials. At first the city attempted to restore its systems to full operability with the help of the Federal Bureau of Investigation (FBI) and a consulting firm, (10) hired by its municipal risk pool, Florida League of Cities. (11) Unfortunately, like many other cities across America, Lake City did not devote sufficient resources to cybersecurity and lacked basic features that could have prevented its computer networks from being vulnerable to this attack, or at least allow for faster recovery. (12) Indeed, within two weeks from the incident, the city manager made a decision to fire the city's information technology (IT) director for failures relating to the incident. (13)

Failing to restore network operability, the city's risk pool hired a ransomware negotiations company called Coveware that communicated with the hackers and brought their ransom demands down to from eighty-six Bitcoins (about $700,000 based on the rate at the time) to forty-two Bitcoins (roughly $460,000), of which the city only paid the $10,000 deductible with the League of Cities paying the rest. (14) Ultimately, even with the encryption key provided by the hackers, each terabyte of encrypted data took "about 12 hours to recover," and nearly "a month after the onset of the attack," the city was still not able to return to full operations. (15) Moreover, the city's own budget reports have indicated that beyond the ransom the city had to pay upward of $350,000 in expenses relating to the ransomware attack as well as other costs associated with equipment and software to update system security and IT infrastructure across the city. (16)

Lake City is not alone. From a power distribution company in India, (17) through the Royal Zoological Society of Scotland, (18) to the court system of the Brazilian state of Rio Grande do Sul, (19) ransomware is anywhere and everywhere. In the United States, ransomware has become so prevalent that it has been identified as a national security concern triggering the involvement of the U.S. Cyber Command and the National Security Agency. (20) In recent years, ransomware attacks targeted a regional hospital in Indiana, (21) a school district in Michigan, (22) a courthouse in Texas, (23) and a port in California. (24) Even Lady Gaga is not immune. (25)

The problem has become so profound that comedian John Oliver devoted a segment of Last Week Tonight to it, noting that the threat has gone from a "trickle to an absolute flood." (26) Ransomware is growing not just in numbers, but also in severity. In 2016, hackers perpetrated roughly four thousand ransomware attacks a day worldwide, a figure which was already alarming. (27) By 2020, however, "attacks leveled out at 20,000 to 30,000 per day in the U.S. alone." (28) That is a ransomware attack every eleven seconds, (29) each of which cost victims on average nineteen days of network downtime and a payout of over $230,000. (30) In 2021, global costs associated with ransomware recovery exceeded $20 billion. (31) Some now predict that by 2031 ransomware will cost victims "around $265 billion (USD) annually... with a new attack (on a consumer or business) every 2 seconds." (32)

This Article offers an account of the regulatory challenges associated with ransomware prevention. Situated within the broader literature on underenforcement, Part I of this article explores the core causes for the limited criminalization, prosecution, and international cooperation that have exacerbated this wicked cybersecurity problem. In particular, the Article examines the forensic, managerial, jurisdictional, informational, and resource allocation challenges that have plagued the fight against digital extortions in the global commons.

To address these challenges, Part II of the Article makes the case for the international criminalization of ransomware. Relying on existing international regimes--namely, the 1979 Hostage Taking Convention, the 2000 Convention Against Transnational Crime, and the customary prohibitions against the crimes of Piracy and Terrorism--the Article makes the claim that certain types of ransomware attacks are already criminalized under existing international law. In fact, the Article draws on each of these case studies to portray the criminalization of ransomware as a "fourth generation" in the outlawry of Hostis Humani Generis (enemies of mankind).

Finally, Part III of the Article demonstrates the various opportunities that could arise from treating ransomware gangs as international criminals subject to universal jurisdiction. The Article focuses on three immediate consequences that could arise from such internationalization: (1) expanding policies for naming and shaming harboring states, (2) authorizing extraterritorial cyber enforcement and prosecution, and (3) advancing strategies for strengthening cybersecurity at home.

2. THE PROBLEM OF RANSOMWARE

   1. Defining Ransomware

      Ransomware is a type of malware that targets data with the intention of either rendering that data permanently inaccessible through encryption or threatening further disclosure unless a ransom is paid. (33) The propagation methods of ransomware vary from compromised mobile applications to infected websites or email attachments. (34) Of late, a significant number of attacks have taken place via "remote desktop protocol... that do[es] not rely on any form of user interaction." (35)

      The hackers typically demand payments in cryptocurrencies as they are less regulated and harder to control using existing Anti-Money-Laundering laws. (36) In particular, the application of "Know Your Customer" and other "Customer Identification Procedures" is complicated by the decentralization and anonymization associated with these digital coins. (37)

      Ransom attacks come with deadlines. "If the victim decides to break the deadline, attackers either increase the price or delete the decryption key." (38) Moreover, paying the ransom may not necessarily end the operation. "Some programs also infect other devices on the network, enabling further attacks. Other examples of ransom ware also infect victims with malware, such as Trojans that steal login credentials." (39)

      According to British-based security software and hardware company SOPHOS, "[i]n 2021, 46% of organizations that had data encrypted in a ransom ware attack paid the ransom." (40) Of those who paid, "11% of organizations said they paid ransoms of $1 million or more." (41) Each of these payments helps fuel the criminal enterprise behind ransomware, thereby inviting further attacks. The unfortunate reality is that for each individual victim, payment makes financial sense, even if that means off-loading costs and forcing negative effects on society writ large.

      Ransomware attacks are targeting every industry and walk of life, from law firms to hospitals to academic institutions to insurance companies to police departments. But ransomware is even a bigger problem than that. Recently, ransomware gangs have begun targeting private individuals and small mom-and-pop shops. (42) In the words of John Oliver, ransomware is now "so pervasive that it's affecting pipelines and grandmothers." (43) Generally speaking, hackers try to focus their efforts on victims who share two common features: first, they lack expertise and resources to ensure effective cybersecurity hygiene; and second, they have inherent incentives to end business interruptions quickly and bring operations back online...