The Evolution of Ransomwares (Hackers Now Target Internet Connected Chastity Belts, USTD’s Warning Against Ransom Payments and Legal Issues Victims Should Consider)

“Ransomware is unique among cybercrime because in order for the attack to be successful, it requires the victim to become a willing accomplice after the fact”

- James Scott

Ransomware, What Am I?

Ransomwares are malicious software that blocks access of users from their own devices with a view to extort payment from their intended victims. Ransomware made its first debut as early as the 1980s when a number of computers used by participants of the 1989 World Health Organization’s AIDS conference became infected by a lockout virus.

Into 2000s – The Age of Extortion

By the turn of the century, the proliferation of the internet amplified the spread of ransomware. During this era, ransomware took the form of pop-ups with catastrophic error message instructing end users to download certain software (which turns out to be the trojan virus) in order to fix a problem. Users were inadvertently tricked into downloading the real virus when they click the ‘Fix Now’ button that usually accompanies/ed such pop-up messages.

Overtime, as ransomware attacks evolved and became more sophisticated, so did their ability to harm day to day lives of their victims. With more and more parts of our human existence having been digitized since the 1980s, massive ransomware attacks the likes of WannaCry is believed to have caused no less than US$4 Billion worth of economic losses to its victims.

2020: Ransomware Locks Internet Connected Chastity Belts

The lockdown of computers (which may cause inconvenience) is nothing compared to the lockdown/losing control over one’s own body.

Such fears were materialized recently when users of internet-connected chastity belts found themselves in an uncomfortable situation as hackers found a way to exploit the chastity belt’s application programming interface (“API”) and locked out the users from control over their devices. Such attacks are frightening as some users are reported to have been wearing such device at the time of the hack.

Once control over the device by a hacker is established, it was reported that users would receive a ransom message demanding payment of 0.02 Bitcoins (around US$750 at the time), failing which the chastity belt (if being in used at the time) would remain locked.

“Your [insert body part] is mine now…”

- Message from hacker to victim

The idea of losing control over any part of one’s body is likely to terrorize any victim into submission to the hacker’s demands.

Criminal Liabilities for the Hackers

There is no doubt that orchestrating a ransomware attack is a contravention of s.23 of the Theft Ordinance (Cap.210) (e.g. in the form of blackmail) and possibly s.60 of the Crimes Ordinance (Cap.200) (e.g. damaging property – the chastity belt’s lockdown is not a normal feature).

On top of that, the unauthorized intrusion into the chastity belt’s operating system is also a breach of s.27A of the Telecommunications Ordinance (Cap.106):

“Any person who, by telecommunica-tions, knowingly causes a computer to perform any function to obtain unauthorized access to any program or data held in a computer commits an offence”

Crimes such as blackmail and extortion carries custodial sentences as the maximum penalty. Cybercrime is a serious matter!

Should Victims Pay?

Whilst many victims might feel compelled to simply pay their way to freedom, victims should be reminded that there is no guarantee that cybercriminals (whom have committed a crime already) will honour their word.

Victims of the WannaCry virus for example have learnt the hard way that sometimes cybercriminals simply did not bother to create release mechanisms in their malware and they simply disappear after being paid.

Furthermore, it should be noted that the mere act of paying a ransom might in itself be illegal and carries criminal liabilities for such victims.

United Nations (Anti-Terrorism Measures) Ordinance (Cap. 575) (“UNATMO”)

Earlier this year, the United States Treasury Department announced that American companies may be penalized for paying ransoms to sanctioned hackers. This crackdown was made in response to the growing market of ‘consultants’ which will help affected organizations pay cybercriminals. It should be noted that similar legal frameworks have in fact existed in Hong Kong in the form of UNATMO:

“A person shall not provide or collect, by any means, directly or indirectly, any property:

a) with the intention that the property
be used; or

b) knowing that the property will be
used,

in whole or in part, to commit one or more terrorist acts (whether or not the property is actually so used).”

- s.7 of UNATMO

Whilst it may be understandable why terrorized victims imprisoned in a chastity belt hack may want to simply pay the ransom and be free, they should also be mindful not to break the law.

Conclusion

Therefore, if you have been ransomed, always remember:

  1. Paying ransom will not solve your problems: the ransomware might not have a ‘release’ mechanism programmed in and they can just take your money and run;
  2. Call first responders for help: (i) its legal and (ii) emergency rooms have equipment to cut them out to freedom; and
  3. Pay attention to cybersecurity: just because a device can be connected to the internet doesn’t mean it should. If you do, at least make sure the connection is firewalled and secured.
Jurisdictions: 

Solicitor, ONC Lawyers

Joshua Chu is a Litigation Solicitor qualified to practice in Hong Kong. Before becoming a lawyer, Joshua worked in the healthcare industry serving as the IT department head at a private hospital as well as overseeing their procurement operations.

Since embarking upon his legal career, his past legal experience includes representing the successful party in one of Hong Kong’s first cryptocurrency litigation cases as well as appearing before the Review Body on Bid Challenges under the World Trade Organization Government Procurement Agreement concerning a health care industry related tender.

Today, Joshua’s practice is mainly focused in the field of dispute resolution and technology law.

Aside from his legal practice, Joshua is currently also a Senior Consultant with a regulatory consulting firm which had been founded by ex-SFC Regulators as well as being a management consultant for the Korean Blockchain Centre.

Partner, ONC Lawyers

Michael Szeto is a litigation partner of ONC Lawyers and heads the firm’s Employment practice. Prior to joining the firm, he had practised with various prominent law firms in Hong Kong. He has many years of experience in handling complex commercial dispute resolution, shareholders’ and joint venture disputes, bankruptcy and insolvency matters, debt recovery and mortgagee actions. He also routinely deals with regulatory actions and compliance matters under the Securities and Futures Ordinance, the Hong Kong listing rules and anti-money laundering laws and guidelines.

On the employment side, Michael often advises on various contentious and non-contentious employment matters, covering contract reviews, termination disputes, injunctive relief, discrimination and harassment claims, data privacy matters, as well as advice on matters relating to team moves, remuneration packages and employee incentive schemes. He is a frequent author of employment articles in industry publications and presenter to legal and human resource professionals.

Michael’s broad clientele includes listed companies, directors, shareholders, local and overseas banks, financial institutions, local and international corporations as well as statutory bodies.