Ransomware, also referred to as a crypto-virus, is malicious software that is used by cybercriminals to illicitly infect, lock-out and then take control over digital systems in order to prevent owners from re-accessing them.
In doing so, cybercriminals use the ransomware to extort money on the promise of restoring owners’ access to their systems.
The two common ways through which ransomware is installed are via phishing emails and/or the visiting of websites with malicious software.
According to by Berné Burger, an associate at Webber Wentzel, the use of ransomware has increased dramatically both nationally and internationally over the past few years – contributing to an ever growing list of cyber threats and cyber criminality.
In South Africa alone approximately R5.7 billion is lost by victims of cybercrime annually – and this figure is likely on the rise, Burger said.
Criminality of Ransomware
Cybercriminals behind ransomware can be prosecuted in terms of the common law crime of extortion, said Burger.
“The crime of extortion is defined as the taking from another party monetary value by intentionally and unlawfully subjecting that party to pressure to do so,” he said.
“Accordingly, cybercriminals who force companies or persons under duress to pay sums of monies in order to regain access to their digital system commit extortion.
“The Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) criminalises the intentional monitoring of any conversations and/or communications by means of a monitoring device, so as to gather confidential information concerning any person or body.
“Thus, in instances where ransomware is used to gather confidential information, a contravention of RICA will have taken place.”
He added that chapter 13 of the Electronic Communications and Transactions Act (ECTA) aims to deal with cyber crimes, and, in doing so, attempts to provide legal certainty in this regard.
In terms of ECTA, any unlawful access and interception or interference with data is a criminal offence, he said.
“Moreover, ECTA plainly criminalises cyber extortion by providing that a person who intentionally accesses or intercepts any data without authority or permission to do so for the purpose of obtaining any unlawful proprietary advantage is guilty of an offence. The Cybercrimes and Cybersecurity Bill in its current form also clearly defines and criminalises cyber extortion.”
Legality of Paying Ransoms
According to Burger, there is no broadly applicable South African legal principal which makes ransom payments illegal.
However, the broad duties set out in the Prevention and Combating of Corrupt Activities Act would also cover ransomware victims being obliged to report incidents of ransomware/extortion to the police, he said.
“However, outside of the legal realm, the payment of a ransom to cybercriminals may have many negative effects, such as: (1) No guarantee that the hackers will return the hijacked data; and (2) paying a ransom not only emboldens current cybercriminals to target more organisations, it also offers an incentive for other criminals to get involved in this type of illegal activity.
“Such effects are more of a commercial nature than legal nature,” he added.
“Cybercriminals are constantly finding new ways to penetrate security systems. The innovative use of intelligent systems, sharing of cybersecurity information and creation of more skilled cybersecurity professionals are all essential to the improvement of the security defense of large corporations.”