“Ransomware is unique among cybercrime because in order for the attack to be successful, it requires the victim to become a willing accomplice after the fact”
- James Scott
Ransomware, What Am I?
Ransomwares are malicious software that blocks access of users from their own devices with a view to extort payment from their intended victims. Ransomware made its first debut as early as the 1980s when a number of computers used by participants of the 1989 World Health Organization’s AIDS conference became infected by a lockout virus.
Into 2000s – The Age of Extortion
By the turn of the century, the proliferation of the internet amplified the spread of ransomware. During this era, ransomware took the form of pop-ups with catastrophic error message instructing end users to download certain software (which turns out to be the trojan virus) in order to fix a problem. Users were inadvertently tricked into downloading the real virus when they click the ‘Fix Now’ button that usually accompanies/ed such pop-up messages.
Overtime, as ransomware attacks evolved and became more sophisticated, so did their ability to harm day to day lives of their victims. With more and more parts of our human existence having been digitized since the 1980s, massive ransomware attacks the likes of WannaCry is believed to have caused no less than US$4 Billion worth of economic losses to its victims.
2020: Ransomware Locks Internet Connected Chastity Belts
The lockdown of computers (which may cause inconvenience) is nothing compared to the lockdown/losing control over one’s own body.
Such fears were materialized recently when users of internet-connected chastity belts found themselves in an uncomfortable situation as hackers found a way to exploit the chastity belt’s application programming interface (“API”) and locked out the users from control over their devices. Such attacks are frightening as some users are reported to have been wearing such device at the time of the hack.
Once control over the device by a hacker is established, it was reported that users would receive a ransom message demanding payment of 0.02 Bitcoins (around US$750 at the time), failing which the chastity belt (if being in used at the time) would remain locked.
“Your [insert body part] is mine now…”
- Message from hacker to victim
The idea of losing control over any part of one’s body is likely to terrorize any victim into submission to the hacker’s demands.
Criminal Liabilities for the Hackers
There is no doubt that orchestrating a ransomware attack is a contravention of s.23 of the Theft Ordinance (Cap.210) (e.g. in the form of blackmail) and possibly s.60 of the Crimes Ordinance (Cap.200) (e.g. damaging property – the chastity belt’s lockdown is not a normal feature).
On top of that, the unauthorized intrusion into the chastity belt’s operating system is also a breach of s.27A of the Telecommunications Ordinance (Cap.106):
“Any person who, by telecommunica-tions, knowingly causes a computer to perform any function to obtain unauthorized access to any program or data held in a computer commits an offence”
Crimes such as blackmail and extortion carries custodial sentences as the maximum penalty. Cybercrime is a serious matter!
Should Victims Pay?
Whilst many victims might feel compelled to simply pay their way to freedom, victims should be reminded that there is no guarantee that cybercriminals (whom have committed a crime already) will honour their word.
Victims of the WannaCry virus for example have learnt the hard way that sometimes cybercriminals simply did not bother to create release mechanisms in their malware and they simply disappear after being paid.
Furthermore, it should be noted that the mere act of paying a ransom might in itself be illegal and carries criminal liabilities for such victims.
United Nations (Anti-Terrorism Measures) Ordinance (Cap. 575) (“UNATMO”)
Earlier this year, the United States Treasury Department announced that American companies may be penalized for paying ransoms to sanctioned hackers. This crackdown was made in response to the growing market of ‘consultants’ which will help affected organizations pay cybercriminals. It should be noted that similar legal frameworks have in fact existed in Hong Kong in the form of UNATMO:
“A person shall not provide or collect, by any means, directly or indirectly, any property:
a) with the intention that the property
be used; or
b) knowing that the property will be
in whole or in part, to commit one or more terrorist acts (whether or not the property is actually so used).”
- s.7 of UNATMO
Whilst it may be understandable why terrorized victims imprisoned in a chastity belt hack may want to simply pay the ransom and be free, they should also be mindful not to break the law.
Therefore, if you have been ransomed, always remember:
- Paying ransom will not solve your problems: the ransomware might not have a ‘release’ mechanism programmed in and they can just take your money and run;
- Call first responders for help: (i) its legal and (ii) emergency rooms have equipment to cut them out to freedom; and
- Pay attention to cybersecurity: just because a device can be connected to the internet doesn’t mean it should. If you do, at least make sure the connection is firewalled and secured.