Cyber Extortion, Ransomware and the South African Cybercrimes and Cybersecurity Bill

Cyber Extortion, Ransomware and the South African Cybercrimes and Cybersecurity Bill Abstract The South African Cybercrimes and Cybersecurity Bill criminalizes cyber extortion in section 10 of the Bill. This article discusses the problem of cyber extortion as it manifests in rampant ransomware attacks across the globe. It determines that although African countries have not been as badly hit by the recent ransomware attacks such as WannaCry, widespread ransomware attacks are imminent. It discusses the provisions in the South African Cybercrimes Bill to determine whether when such attack does happen, South Africa would be able to deal with it adequately through the Bill. It uses the Kenyan Cybercrimes Act as a comparator. Section 10 Cyber extortion 10.Any person who unlawfully and intentionally— (a) threatens to commit any offence; or (b) commits any offence, contemplated in sections 3(1), 5(1), 6(1) or 7(1)(a) or (d), for the purpose of— (i) obtaining any advantage from another person; or (ii) compelling another person to perform or to abstain from performing any act, is guilty of the offence of cyber extortion. 1. CYBER EXTORTION: RANSOMWARE The crime of cyber extortion involves using data or a computer system as a tool to exercise power over a victim. Ransomware illustrates this crime best. Ransomware is not the only example of cyber extortion; however, it is quickly becoming one of the most recognizable and challenging manifestation. Ransomware is designed to be a direct revenue-generating type of cybercrime.1 Ransomware is a type of malware that takes over a computer system by holding it ‘hostage’ until the victim pays a ransom demanded by the offenders. It has gained momentum in recent years particularly due to the growing popularity of Bitcoin (a cryptocurrency that is relatively anonymous). 2. EVOLUTION OF RANSOMWARE Ransomware is not a new phenomenon, it has been around since the late 1980s and it has evolved in true Darwinian style. In the early life of ransomware, it was not widely successful given the landscape in which it operated, that is, in an era where computers were not ubiquitous and the internet was still a concept and still only accessible to Universities and research entities and governments. Additionally, in those days, international payments were much harder to execute than they are now. Furthermore, that era saw malware being used for vandalism, pranks and notoriety rather than for financial gains.2 Fake antivirus scams became very prominent in 2008 and 2009 to trick victims into believing that their computer systems had been infected with a virus and they needed to buy the antivirus that is being offered to them to remove it. Fake antivirus worked in a similar manner as locker ransomware in that it would prevent access to the computer system. The attack relied heavily on social engineering techniques to trick the victim into thinking that her computer has been infected with a virus and that this antivirus which had detected it would be able to clean the computer.3 She therefore would be more likely to trust in the ‘antivirus’ that has detected the problem. After downloading it, the ‘antivirus’ would offer the victim an option to purchase a subscription of the ‘antivirus’ at a supposedly low price whilst infecting the computer with a real virus. It was in early 2005 that the first wave of modern crypto ransomware threats began to surface. One of the earliest forms was the Trojan.Gpcoder family of viruses which did not use a strong form of encryption technology, it was easily overcome and was therefore, not very successful. It used symmetric encryption which meant that the encryption and the decryption keys were the same. However, the authors of the malware were not easily deterred as they continued to adjust the malware to produce newer and more effective versions of it.4 It was in between 2011 and 2012 that the first pure locker ransomware appeared in the form of Trojan.Randsom.C which operated by requesting the user to call a premium-rate phone number to a spoofed Windows Security Centre to reactivate the licence to the security software.5 Crypto ransomware is the original type of ransomware and with the deficiencies of the locker ransomware, there has been a move back to crypto ransomware since 2013 to the present day. Crypto ransomware is different from locker ransomware in that it does not see the need to use social engineering to trick the victim into complying with its demands, it is direct in approach and makes the victim aware from the onset of its intentions.6 Crypto ransomware can request payments that can be as much as US$300 for a single computer to be decrypted. There are two main types of ransomware. The first is ‘locker ransomware’ which prevents access to a computer or device by locking the computer or device itself. The other is a ‘crypto ransomware’ which prevents access to data or file by locking or encrypting data itself rather than the computer or storage device that houses it. It does not necessarily have to use encryption to lock the data, however, much of this type of ransomware does.7 (a) Locker Ransomware Locker ransomware usually locks the victim’s computer or the computer interface and then asks the victim to pay a fee to unlock it or restore access to it. It can limit the functionality of a computer, for example, by as preventing the mouse from working or leaving only the numeric functionality of the keyboard (to allow the user to enter the payment code once the ransom has been paid). The underlying system of the computer is left untouched which means that it is possible for a skilled cybersecurity expert to remove the malware and restore the functionality of the computer.8 Social engineering is one of the techniques that is heavily relied upon when a locker ransomware attack is perpetrated. It is necessary to enlist manipulation and deception techniques on unsuspecting victims because the malware itself is relatively easier to remove than in the case of crypto ransomware.9 A common technique common technique that offenders use is producing a pop-up notice on the victim’s computer which masquerades as a law enforcement notice. In many cases, the victim receives a notification which purports to be from the US Federal Bureau of Investigation (FBI) which informs her that they have detected that her IP address has been linked with downloading or visiting a website that hosts child pornographic material, abuse of children and zoophillia or material related to terrorist activities. These are crimes which are in contravention of the federal laws of the United States and which carry a prison sentence of up to 12 years. She is informed that she is required to pay a fine immediately to avoid arrest and prosecution. She is then instructed to follow some commands that will enable her to pay a fine to avoid prosecution.10 Thereafter, the malware will presumably be removed, although there is typically not the case. (b) Crypto Ransomware Crypto ransomware is the second type of ransomware. It is designed to find and encrypt valuable data on the victim’s computer or storage device. Valuable data can range from anything from personal information, photographs, company documents, or confidential government documents. The data will be made inaccessible to the victim without a decryption key which is in the possession of the offender alone. Crypto ransomware malware exploits vulnerabilities in the computer systems to gain access to the data. It can operate in the background of the computer system without the victim knowing for as long as it is necessary for it to encrypt the valuable data without being detected by any protective measures that the victim might have, such as firewalls or antivirus software. The ransomware thereafter presents a message to the victim informing her that she has been infected with ransomware and that she needs to pay an amount that will release to her the decryption key. By the time, she gets this notification, all her data would have already been encrypted and there is very little that she can do to stop the attack or recover her data11 Bitcoin is usually the preferred payment method because of its security, anonymity, and relative untraceability. In the early days of crypto ransomware, the affected computer tended to be able to continue to function normally as the malware would not target the critical system files of the computer, rather it only barred access to the encrypted data.12 The modern-day ransomware attacks can encrypt the computer as far as on the hardware level, making it near impossible to unlock without a decryption key. (c) WannaCry Ransomware May 2017 saw a cyberattack that was unprecedented in scale. WannaCry is a crypto ransomware variant which is also known as WannaCrypt, WanaCrypt0r, WRrypt, and WCrypt which was introduced through a phishing email and once it has entered the computer, it used a Windows vulnerability to replicate itself to spread from the first infected computer to the rest of the network.13 From this, it is immediately clear that the targets of the ransomware are not individual home users but rather organizations or entities who have their computers connected on a network. This kind of large scale attack is desirable to the attacker because it provides her with a greater reach as far as the victim goes and therefore, a greater capacity for a greater ransom. It is estimated that the attack affected at least 99 countries, with Russia being the worst hit. The WannaCry ransomware attack held computer data for ransom of hospitals, telecommunications firms,14 and car manufacturers15 to name few. The United Kingdom suffered immensely from the cyber attack as it crippled the National Health Services (NHS) for a considerable amount of time. The effect that the ransomware has on the NHS was a cause for great concern because it froze computers at hospitals around the country which resulted in the forced closure of many hospital wards. British citizens were advised to only report to the A&E department of the hospitals only in emergencies.16 It is reported however, that patient information had not been compromised,17 although patients were negatively affected by the attack, one patient reported that his scheduled heart surgery had to be postponed due to the attack.18 The WannaCry ransomware attackers demanded a ransom of $300 from each of the individual computers infected with the malware, failing which, the ransom amount would double in 3 days, further, if the ransom was not paid, the data would be destroyed.19 It spread in an exponential rate on the day that it was released before it was halted by a ‘kill switch’ discovered by cybersecurity researcher Marcus Hutchins. Ironically, Hutchin was arrested 2 months later while he was in the United States for writing and distributing a banking Trojan malware which was used on one of the bigger Dark web market place AlphaBay.20 This charge is unrelated to the WannaCry ransomware breakout. The speed at which the ransomware attack propagated and its widespread reach was a cause for great concern because it highlighted the great capability of cybercrime to be far reaching and destructive 3. TARGETS OF RANSOMWARE The new dimension that ransomware has introduced is the ability to target anyone and anything indiscriminately. It thrives on being able to have a reach which has virtually no spatio-temporal boundaries. The Routine Activities Theory can assist in considering the target. The determination of target suitability is rendered by the acronym VIVA which is the Value, Inertia, Visibility, and Accessibility of the target.21 In the case of ransomware, the first issue that must be considered is who the actual target is. To determine this, it is necessary to consider the desired outcome of the attackers and not only consider the method, as that can be misleading. Locker ransomware on the one hand, uses social engineering to get the victim to pay, targeting the victim herself directly. Crypto ransomware on the other hand targets the data itself by encrypting it to force the hand of the victim to pay the offender a fine. It takes a direct approach rather than a manipulative social engineering approach that locker ransomware takes. In any case, regardless of the approach taken, the goal is to extort money or any other benefit from the victim herself and not the data nor the computer system. This is the same as in the case of a terrestrial case of extortion whereas, in the case of cyber extortion, the data held is merely used as a tool for obtaining that benefit. Therefore, while it might appear from first glance that the data or computer system is the target, upon closer inspection, it is not. Furthermore, the target does not have to be the individual target but rather, the targets can range from home users to businesses to government entities. This is presumably dependant on the capabilities of the ransomware authors and the ransomware malware itself. Home users are easy targets because they are generally not fluent with computers or do not understand what ransomware is or how it works. Additionally, home users have sensitive information, important files and documents such as photographs, work documents and so forth. Although these files are valuable, home users are also the least likely to have sufficient backup practices.22 They also have the least access to technical assistance and therefore are feel more isolated and vulnerable. They are therefore more susceptible to a social engineering attack which pressures them to pay the ransom.23 Locker ransomware is most effective on home users. (a) Value The value lies in how much the victim is willing to pay to have her data back. In many cases, the victims are unaware of the threats that exist to their data so very often they neglect to set up effective backup system if they lose their data. Knowing this, cybercriminals take advantage and demand varying ransom amounts. Many victims are unable to distinguish the varying types of ransomware and therefore, they are unaware that some forms can be removed without a ransom having to be paid. They are unfortunately more likely to resort to pay the ransom with no guarantee that their data will be restored. The ransomware authors can demand anything from a fraction of a Bitcoin to 100 BTC. (b) Inertia and Visibility In the case of cyber extortion, inertia and visibility do not apply. This is because neither the computer nor the data are targeted to be removed or copied. They are merely locked and made unavailable to the target. Furthermore, considering that the offender will not make physical contact with the target, it is unnecessary to determine whether she would offer any physical resistance. By the same token, the offender does not need to see the target to know that she exists. (c) Accessibility Accessibility has a positive correlation with target suitability. In the case of cyber extortion, the victim is easily accessible to the offender. By the offender being able to gain access to the data or computer system of the victim, the offender has direct access to her. It is interesting to note with a sense of irony that some ransomware attackers are quite user friendly when it comes to how the victim can pay the ransom. The 2016 version of the Petya ransomware had a website which the victim was directed to, that website hosted in the Tor.onion browser. The website provides the victim with explanations on what is going on with their computer and instructions on how to fix it. It has a FAQ section on the website and even has step by step instructions on where and how to buy Bitcoin and how to make the ransom payment to have the ransomware decryption key.24 Making the transaction as easy as possible for the target puts the offender in control of the situation as she is can also control her preferred method of payment. Accessibility is as much about access to the victim as it is about the ease with which the offender can get away. Bitcoin and the deep web are ideal tools for escaping relatively undetected. 4. SOUTH AFRICAN AND KENYAN RESPONSES To date, Africa has not experienced an outbreak of ransomware attacks on the scale that Europe and America has but it is only a matter of time until it does. Ransomware has shown through WannaCry that it does respect boundaries. Although South Africa did report a handful of cases of WannaCry, it has not been enough to cause great concern. This, however, will not remain the case, a large-scale ransomware attack is inevitable. Therefore, the question becomes, how ready is South Africa. This next section will be a critique of the section 10 of the South African Cybercrimes Bill and it will enlist a critique of the Kenyan Cybercrimes Act as a comparator. South Africa and Kenya are two of the superpowers of the SADC region. They are both technologically advanced and both face major cybersecurity challenges. Both countries have gone through the process of debating and proposing legislation that will deal with cybercrime and cybersecurity. Kenya has recently signed into force their cybercrimes Act in 2016 and South Africa has presented the final draft of the cybercrimes bill to parliament for debate. 5. SOUTH AFRICAN CYBERSECURITY AND CYBERCRIMES BILL This section engages with the crime of cyber extortion. Section 10 of the South African Cybercrimes Bill criminalizes cyber extortion. It makes it an offence to acquire protected data, interfere with data or a computer program, interfere with a computer or computer system or acquire or use a password, access code or related data or device or threatens another person with the commission of such offences for the purposes of obtaining any advantage from another person or compelling another person to perform or abstain from performing any act.25 Section 10 of the South African Cybercrimes Bill criminalizes cyber extortion. It provides that any person who unlawfully and intentionally (a) threatens to commit any offence; or (b) commits any offence, contemplated in sections 3(1), 5(1), 6(1) or 7(1)(a) or (d), for the purpose of (i) obtaining any advantage from another person; or (ii) compelling another person to perform or to abstain from performing any act, is guilty of the offence of cyber extortion. The cyber extortion section is the best section to deal with ransomware because it includes an additional element of intent, which is ‘to obtain any advantage from another person or compelling another person to perform or abstain from performing any act’. It elevates the conventional cybercrimes provided for in the Bill to an offence of cyber extortion by requiring special intent. Therefore, to understand this offence, it is necessary to read it together with sections 3(1), 5(1), 6(1) or 7(1)(a) or (d). These offences will be collectively referred to as ‘hacking’ offences merely for ease of reference in this article alone. To adopt an ordinary definition, hacking can be defined as gaining access to a computer, file or network illegally and without authorization.26 (a) Section 3(1) Unlawful Acquiring of Data Section 3(1) makes it an offence for any person to unlawfully and intentionally overcome any protection measure to prevent access to data; and to acquire data, within or which is transmitted to or from a computer system. This section criminalizes both the overcoming of the protection measures (such as cracking passwords) as well as acquiring27 the data thereof. This means that a person who breaks into a computer system and does not steal anything will be as guilty as a person who breaks into and does steal something. Therefore, this covers also the offenders who may merely inject malware in the computer system to remotely control it, such as in the case of creating a botnet. Any person who contravenes this provision is liable to a fine or a prison sentence not exceeding 10 years or both.28 (b) Section 5(1) Unlawful Interference With Data or Computer Program Section 5(1) makes it an offence to unlawfully and intentionally interfere with data or a computer program. It should be noted that this section refers to data or a computer program whereas section 6 below refers to computer storage medium or a computer system. These two sections are similar and can be read together. Section 6(1) makes it an offence to unlawfully and intentionally interfere with a computer data storage medium or a computer system. Interference in this provision is defined to mean to permanently or temporarily alter any resource of a computer data storage medium or a computer system. The phrase ‘interference with data or a computer program’ is defined in the Bill to mean to permanently or temporarily delete; alter; damage or deteriorate; render vulnerable, meaningless, useless or ineffective; obstruct, interrupt or interfere with the lawful use; or deny access to data or a computer program.29 Interference in section 6 adds to interrupt or impair the functioning of; confidentiality of, integrity of, or the availability of a computer data storage medium or a computer system.30 This section on its own could cover a ransomware attack because the nature of ransomware is that it renders the contents of the infected computer system ineffective and denies access to the legitimate user through encryption. This section however, does not cover the special intent that the cyber extortion provision introduces. The special intent element is desirable because it highlights the fact that different cyber acts can be classified differently to highlight their gravity. This is also important when it comes to sentencing particularly in aggravated circumstances; it provides necessary flexibility. The offences in section 5(1) and 6(1) are considered to be aggravated offences according to section 11, when they ‘(a) endanger the life or violate the physical integrity or physical freedom of, or cause bodily injury to, any person of any number of persons; (b) cause serious risk to health or safety of the public or any segment of the public; (c) causes the destruction of or substantial damage to any property; (d) causes a serious interference with or serious disruption of, an essential service, facility or system, or the delivery of any essential service; (e) causes any major economic loss; (f) creates a serious public emergency situation; or (g) prejudices the security, defence, law enforcement or international relations of the Republic (of South Africa)’.31 The aggravated offences provided for in section 11 of the South African Cybercrimes Bill are a welcomed addition in the context of a ransomware attack. One of the elements that makes them aggravated offences is when they are targeted at restricted computer systems. These restricted computer systems are defined to mean any computer program, computer data storage medium or computer system under the control of or exclusively used by any financial institution, any organ of state in South Africa or any critical information infrastructure.32 As shown above, ransomware attacks can be indiscriminate in their attack to the extent that they target anyone who operates a vulnerable device. This can range from ordinary computer users to government entities and private organizations. It is therefore important that the legislation makes provisions for everyone one the user spectrum. (c) Section 7(1) Unlawful Acquisition, Possession, Provision, Receipt or use of Password, Access Codes or Similar Data or Devices Section 7(1) makes it an offence to unlawfully and intentionally (a) acquire or (d) use a password, an access code or similar data or device33 for the purposes of contravening the provisions of sections 2(1)34, 3(1), 5(1), 6(1), 835 or 9(1).36 It is important to note that the offence of cyber extortion does not cover all of section 7(1) but rather, only covers either subsection (a) or (d). Section 7(1)(b) which provides for possession; or subsection (c) which covers providing to another person the access codes etc., are not included in the ambit of the Cyber extortion offence. This means that if an offender hacks into another person’s computer, and merely keeps for herself the passwords, access codes or similar devices or sells it to another person, she will still be guilty of the offence provided for in section 7, that is, a hacking offence, but not cyber extortion because she would lack specific intent of obtaining an advantage over another person or of compulsion. This is evidence of careful consideration by the drafters of the scope and limits of cybercrime when it comes to criminalization. (d) Penalties Section 14 of the South African Cybercrimes Bill provides for the penalties that shall be imposed on the offender upon conviction. These offences are in the same class of crimes therefore, any person who contravenes these provision is liable to a fine or a prison sentence not exceeding 10 years or to both the fine and imprisonment. The penalties clause goes further to provide that if a court finds a person guilty of an offence under section 10 (cyber extortion), it may impose a sentence in accordance with section 276 of the Criminal Procedure Act if a penalty is not prescribed for it by any other law. The court shall consider appropriate penalty to impose which is in that court’s penal Jurisdiction.37 6. KENYAN COMPUTER AND CYBERCRIMES ACT, 2016 The Kenyan Cybercrimes Act, unlike the South African Cybercrimes Bill does not have a single provision such as cyber extortion that would deal specifically with a ransomware attack. It has the general ‘hacking offences’ as seen in the South African Cybercrimes Bill which, when interpreted generously, could cover such attacks. Part II of the Kenyan Cybercrimes Act is dedicated to the offences. The key provisions in the Act are section 4 (Unauthorized Access), section 5 (access with intent to commit or facilitate further offence) and section 6 (unauthorized interference). (a) Section 4: Unauthorized Access; Section 6: Unauthorized Interference Section 4 makes it an offence to cause, either temporarily or permanently, a computer system to perform a function, by infringing security measures, with the intention to gain access. This act must be done with the knowledge that such access is unauthorized. Additionally, the Act provides that it is immaterial, for the purposes of this act, that the unauthorized access was not directed at (a) any particular program or data; (b) a program or data of any kind; or (c) a program or data held in any particular computer system.38 This section is comparable to section 3 of the South African Cybercrimes Bill as it is an unauthorized access offence. It can apply to a ransomware attack but only as far as it makes it a hacking offence, meaning that it must be treated the same way as any other cyber offence. The only offence element that is required in this section is an intention to gain access39 and nothing more. Section 6 of the Kenyan Cybercrimes Act consequently should be treated the same way in so far as it criminalizes interference40 with the confidentiality, integrity and availability of computer systems. It is an ordinary hacking crime even though it caters for bigger victims and larger consequences. Section 6(3) provides that any person who commits the offence provided for in 6(1) which results in (a) a significant financial loss to any person; (b) threatens national security; (c) causes physical injury or death to any person or; threatens public health or public safety, shall be guilty of an offence. It is comparable to the South African Cybercrimes Bill’s aggravated offences provided for in section 11. (b) Section 5: Access With Intent to Commit or Facilitate Further Offence Section 5 makes it an offence to commit an offence provided for under section 4 with the intention to commit, or facilitate the commission of a further offence under any law, by that person or another person. It provides further, that it is immaterial that the further offence is committed provided for in this section, is committed at the same time as when the access is secured or at another time.41 This section builds upon section 4 by including a secondary intention requirement to the offence of unauthorized access. This offence, it can be argued, might be the best offence to deal with a ransomware attack. However, to capture the essence of a ransomware attack which is with regard to extortion, one would have to look outside this Act and refer to section 29942 of the Kenyan Penal Code. It provides for attempts at extortion by written threat. One could argue that the message that appears on the victim’s infected computer system constitutes a written threat and therefore covers the special intent to extort. Given that the Kenyan Cybercrimes Act does not have a specific and single provision that will deal with ransomware, section 5 gives room to prosecute it in collaboration with perhaps the Penal Code. On the one hand, this is beneficial because it acts as a catch-all phrase for all the nuance manifestations of cybercrimes and possibly for cybercrimes that have not yet been invented. Although, it is unclear how far the Penal Code envisages cybercrimes and whether it can adequately prosecute them. On the other hand, it might be accused of broadening the scope of this Act too much, that is, it might suffer from a lack of specificity that is generally required of legislation. This will, of course, be left to the interpretation of the courts. Furthermore, it will mean that the offender needs to be charged under two separate laws for a single crime. This is important to note, because, a ransomware attacker typically is single-minded in her intention. She does not gain access to a computer or to data and then decide to solicit money, she gains access for the sole purpose of soliciting money. There is a nuance difference. At this point, it may be necessary to make use of a terrestrial crime to illustrate this nuance difference. A kidnapper who orchestrates the kidnapping of the child for the sole purpose of seeking a ransom, is different from a burglar who gains access to a house to steal and by chance stumbles upon a child whom he kidnaps and asks a ransom for. The burglar is committing a further offence (unauthorized access and kidnapping) whereas the kidnapper is committing a single offence of kidnapping, with unauthorized access being incidental to the commission of the specific crime. The intention of the ransomware attacker is not to gain access to a computer system or data, it is rather to use the (now encrypted) computer system or data to seek a ransom for its return. By this interpretation, applying section 5 to ransomware might prove challenging. (c) Penalties The penalty for both section 4 and section 5 is a fine not exceeding 10 million shillings or a prison sentence of 10 years or both.43 The offence in section 6 provides for a fine not exceeding 20 million shillings, or to a prison term not exceeding 20 years, or to both. 7. CONCLUSION Ransomware is a complex subset of crime and there are many nuance differences between crimes which should be accounted for if legislation is going to be effective. For example, an offender who gains access to a computer system to send spam, and offender who gains access to launch ransomware, occupy different classes of cybercrimes which is dependent on the impact on victims. Although ‘hacking offences’ and ransomware attacks involve the unlawful access into a computer system, their impact dictates that they should not be treated the same way. This means that it is equally important for legislation to be able to account for this kind of divergence and respond accordingly. The South African Cybercrimes Bill has done so by including the offence of cyber extortion. It recognizes that all ransomware attacks are ‘hacking’ crimes but that not all acts of ‘hacking’ will amount to a ransomware attack. It is there important to add the specific intent to extort as an additional requirement. The Kenyan Cybercrimes Act has neglected to add this additional requirement; therefore, a ransomware attack will be treated the same way as an ordinary ‘hacking’ offence. This means that even if the attack costs the victims a substantial amount of money and causes a considerable amount of harm as shown above, the offenders will only be held accountable as far as ‘ordinary hackers’. This is equally true even in extreme circumstances where the government or financial institutions are attacked because unlike the South African Cybercrimes Bill, the Kenyan Cybercrimes Act does not account for aggravated offences with respect to a ransomware attack. Footnotes 1 K Savage, P Coogan, and H Lau Security Response: The Evolution of Ransomware (Version 1.0 Symantec 2015) 5, Mountain View, California, USA. 2 Ibid at 7. 3 Ibid at 9. 4 Ibid. 5 Ibid. 6 Ibid at 11. 7 Ibid at 5. 8 Ibid. 9 Ibid. 10 Federal Bureau of Investigation ‘“Ransomware” Locks computer, Demand’s Payment’ (9 August 2012) https://www.fbi.gov/news/stories/new-internet-scam (1 August 2017). 11 Above n 1 at 7. 12 Ibid. 13 Europol ‘Wannacry ransomware’ https://www.europol.europa.eu/wannacry-ransomware (7 August 2017). 14 CBS News ‘Global cyberattack strikes dozens of countries, cripples U.K. hospitals’ (12 May 2017) http://www.cbsnews.com/news/hospitals-across-britain-hit-by-ransomware-cyberattack/ (8 August 2017). 15 J Sharman ‘Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France’ (13 May 2017) Independent http://www.independent.co.uk/news/uk/home-news/nissan-sunderland-cyber-attack-ransomware-nhs-malware-wannacry-car-factory-a7733936.html (8 August 2017). 16 See CBS News, above n 14. 17 BBC ‘NHS cyber-attack: GPs and hospitals hit by ransomware’ (13 May 2017) http://www.bbc.com/news/health-39899646 (9 August 2017). 18 Above n 14. 19 Ibid. 20 E Shugarman ‘Marcus Hutchins arrest: Computer expert who “helped to end NHS cyber attack” charged with malware offences in US’ (3 August 2017) Independent http://www.independent.co.uk/news/uk/home-news/marcus-hutchins-arrested-latest-us-authorities-wannacry-cyberattack-nhs-las-cegas-mccaran-a7875761.html (8 August 2017). 21 S Mabunda ‘Applying the Gordon & Ford Categorisation and the Routine Activities Theory to Cybercrime: A Suitable Target’ in P Cunningham and M Cunningham (eds) IST Africa Conference Proceedings (2017) 3. 22 Above n 1 at 13. 23 Ibid. 24 MrDevStaff ‘Petya Ransomware Demonstration’ (27 March 2016) https://www.youtube.com/watch?v=zOSI08mnfzM (5 August 2017). 25 Explanatory notes (2016) 67. 26 The Free Dictionary by Farlex. 27 The word acquire in the Bill is defined to mean to ‘use, examine or capture data or any output thereof; copy data; move data to a different location in a computer system in which it is held or any other location; or to divert data from its intended destination to any other destination’. 28 Section 14(2) of SA Cybercrimes Bill. 29 Section 5(2)(a)–(f) of SA Cybercrimes Bill. 30 Section 6(2)(a) and (b). 31 Section 11(2) 32 Sections 3(1), 5(1), 6(1) and 7(1) are all covered by section 11. 33 Password, access codes or similar data or device for purposes of this provision mean (without limitation) ‘a secret code or pin, an image, a security token, an access card, any device, biometric data, or a word string of characters or numbers, used for financial transactions or user authentication to access or use data, a computer program, a computer data storage medium or a computer system’. See section 7(3). 34 Unlawful securing of access. 35 Cyber fraud. 36 Cyber forgery or uttering. 37 Section 14(4) of SA Cybercrimes Bill. 38 Section 4(3) (a)–(c) Kenyan Cybercrimes Act (2016). 39 Access means gaining entry, or intending to gain entry into any program or data that is stored in a computer system where the person (a) alters, modifies, or erases a program or data; or (b) copies, transfers, or moves a program or data to (i) any computer system or device or storage medium other than which it is store, or (ii) to a different location in the same computer system, device or storage medium in which it is stored; or (c) causes it to be output from the computer in which it is held, whether by having it displayed or in any other manner; or uses it by causing the computer to execute a program or is itself a function of the program. 40 Mean any impairment to the confidentiality, integrity or availability of a computer system, or any program or data on a computer system, or any act in relation to the computer system which impairs the operation of the computer system, program or data. 41 Section 5(2) Kenyan Cybercrimes Act (2016). 42 Any person who, with intent to extort or gain anything from any person, and knowing the contents of the writing, causes any person to receive any writing demanding anything from any person without reasonable or probable cause, and containing threats of any injury or detriment of any kind to be caused to any person, either by the offender or any other person, if the demand is not complied with, is guilty of a felony and is liable to imprisonment for 14 years. 43 Section 5(1) Kenyan Cybercrimes Act (2016). © The Author 2017. Published by Oxford University Press. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Statute Law Review Oxford University Press

Cyber Extortion, Ransomware and the South African Cybercrimes and Cybersecurity Bill

Statute Law Review , Volume Advance Article – Oct 28, 2017

Loading next page...
 
/lp/ou_press/cyber-extortion-ransomware-and-the-south-african-cybercrimes-and-b0xQ9Fk7QF
Publisher
Oxford University Press
Copyright
© The Author 2017. Published by Oxford University Press. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com.
ISSN
0144-3593
eISSN
1464-3863
D.O.I.
10.1093/slr/hmx028
Publisher site
See Article on Publisher Site

Abstract

Abstract The South African Cybercrimes and Cybersecurity Bill criminalizes cyber extortion in section 10 of the Bill. This article discusses the problem of cyber extortion as it manifests in rampant ransomware attacks across the globe. It determines that although African countries have not been as badly hit by the recent ransomware attacks such as WannaCry, widespread ransomware attacks are imminent. It discusses the provisions in the South African Cybercrimes Bill to determine whether when such attack does happen, South Africa would be able to deal with it adequately through the Bill. It uses the Kenyan Cybercrimes Act as a comparator. Section 10 Cyber extortion 10.Any person who unlawfully and intentionally— (a) threatens to commit any offence; or (b) commits any offence, contemplated in sections 3(1), 5(1), 6(1) or 7(1)(a) or (d), for the purpose of— (i) obtaining any advantage from another person; or (ii) compelling another person to perform or to abstain from performing any act, is guilty of the offence of cyber extortion. 1. CYBER EXTORTION: RANSOMWARE The crime of cyber extortion involves using data or a computer system as a tool to exercise power over a victim. Ransomware illustrates this crime best. Ransomware is not the only example of cyber extortion; however, it is quickly becoming one of the most recognizable and challenging manifestation. Ransomware is designed to be a direct revenue-generating type of cybercrime.1 Ransomware is a type of malware that takes over a computer system by holding it ‘hostage’ until the victim pays a ransom demanded by the offenders. It has gained momentum in recent years particularly due to the growing popularity of Bitcoin (a cryptocurrency that is relatively anonymous). 2. EVOLUTION OF RANSOMWARE Ransomware is not a new phenomenon, it has been around since the late 1980s and it has evolved in true Darwinian style. In the early life of ransomware, it was not widely successful given the landscape in which it operated, that is, in an era where computers were not ubiquitous and the internet was still a concept and still only accessible to Universities and research entities and governments. Additionally, in those days, international payments were much harder to execute than they are now. Furthermore, that era saw malware being used for vandalism, pranks and notoriety rather than for financial gains.2 Fake antivirus scams became very prominent in 2008 and 2009 to trick victims into believing that their computer systems had been infected with a virus and they needed to buy the antivirus that is being offered to them to remove it. Fake antivirus worked in a similar manner as locker ransomware in that it would prevent access to the computer system. The attack relied heavily on social engineering techniques to trick the victim into thinking that her computer has been infected with a virus and that this antivirus which had detected it would be able to clean the computer.3 She therefore would be more likely to trust in the ‘antivirus’ that has detected the problem. After downloading it, the ‘antivirus’ would offer the victim an option to purchase a subscription of the ‘antivirus’ at a supposedly low price whilst infecting the computer with a real virus. It was in early 2005 that the first wave of modern crypto ransomware threats began to surface. One of the earliest forms was the Trojan.Gpcoder family of viruses which did not use a strong form of encryption technology, it was easily overcome and was therefore, not very successful. It used symmetric encryption which meant that the encryption and the decryption keys were the same. However, the authors of the malware were not easily deterred as they continued to adjust the malware to produce newer and more effective versions of it.4 It was in between 2011 and 2012 that the first pure locker ransomware appeared in the form of Trojan.Randsom.C which operated by requesting the user to call a premium-rate phone number to a spoofed Windows Security Centre to reactivate the licence to the security software.5 Crypto ransomware is the original type of ransomware and with the deficiencies of the locker ransomware, there has been a move back to crypto ransomware since 2013 to the present day. Crypto ransomware is different from locker ransomware in that it does not see the need to use social engineering to trick the victim into complying with its demands, it is direct in approach and makes the victim aware from the onset of its intentions.6 Crypto ransomware can request payments that can be as much as US$300 for a single computer to be decrypted. There are two main types of ransomware. The first is ‘locker ransomware’ which prevents access to a computer or device by locking the computer or device itself. The other is a ‘crypto ransomware’ which prevents access to data or file by locking or encrypting data itself rather than the computer or storage device that houses it. It does not necessarily have to use encryption to lock the data, however, much of this type of ransomware does.7 (a) Locker Ransomware Locker ransomware usually locks the victim’s computer or the computer interface and then asks the victim to pay a fee to unlock it or restore access to it. It can limit the functionality of a computer, for example, by as preventing the mouse from working or leaving only the numeric functionality of the keyboard (to allow the user to enter the payment code once the ransom has been paid). The underlying system of the computer is left untouched which means that it is possible for a skilled cybersecurity expert to remove the malware and restore the functionality of the computer.8 Social engineering is one of the techniques that is heavily relied upon when a locker ransomware attack is perpetrated. It is necessary to enlist manipulation and deception techniques on unsuspecting victims because the malware itself is relatively easier to remove than in the case of crypto ransomware.9 A common technique common technique that offenders use is producing a pop-up notice on the victim’s computer which masquerades as a law enforcement notice. In many cases, the victim receives a notification which purports to be from the US Federal Bureau of Investigation (FBI) which informs her that they have detected that her IP address has been linked with downloading or visiting a website that hosts child pornographic material, abuse of children and zoophillia or material related to terrorist activities. These are crimes which are in contravention of the federal laws of the United States and which carry a prison sentence of up to 12 years. She is informed that she is required to pay a fine immediately to avoid arrest and prosecution. She is then instructed to follow some commands that will enable her to pay a fine to avoid prosecution.10 Thereafter, the malware will presumably be removed, although there is typically not the case. (b) Crypto Ransomware Crypto ransomware is the second type of ransomware. It is designed to find and encrypt valuable data on the victim’s computer or storage device. Valuable data can range from anything from personal information, photographs, company documents, or confidential government documents. The data will be made inaccessible to the victim without a decryption key which is in the possession of the offender alone. Crypto ransomware malware exploits vulnerabilities in the computer systems to gain access to the data. It can operate in the background of the computer system without the victim knowing for as long as it is necessary for it to encrypt the valuable data without being detected by any protective measures that the victim might have, such as firewalls or antivirus software. The ransomware thereafter presents a message to the victim informing her that she has been infected with ransomware and that she needs to pay an amount that will release to her the decryption key. By the time, she gets this notification, all her data would have already been encrypted and there is very little that she can do to stop the attack or recover her data11 Bitcoin is usually the preferred payment method because of its security, anonymity, and relative untraceability. In the early days of crypto ransomware, the affected computer tended to be able to continue to function normally as the malware would not target the critical system files of the computer, rather it only barred access to the encrypted data.12 The modern-day ransomware attacks can encrypt the computer as far as on the hardware level, making it near impossible to unlock without a decryption key. (c) WannaCry Ransomware May 2017 saw a cyberattack that was unprecedented in scale. WannaCry is a crypto ransomware variant which is also known as WannaCrypt, WanaCrypt0r, WRrypt, and WCrypt which was introduced through a phishing email and once it has entered the computer, it used a Windows vulnerability to replicate itself to spread from the first infected computer to the rest of the network.13 From this, it is immediately clear that the targets of the ransomware are not individual home users but rather organizations or entities who have their computers connected on a network. This kind of large scale attack is desirable to the attacker because it provides her with a greater reach as far as the victim goes and therefore, a greater capacity for a greater ransom. It is estimated that the attack affected at least 99 countries, with Russia being the worst hit. The WannaCry ransomware attack held computer data for ransom of hospitals, telecommunications firms,14 and car manufacturers15 to name few. The United Kingdom suffered immensely from the cyber attack as it crippled the National Health Services (NHS) for a considerable amount of time. The effect that the ransomware has on the NHS was a cause for great concern because it froze computers at hospitals around the country which resulted in the forced closure of many hospital wards. British citizens were advised to only report to the A&E department of the hospitals only in emergencies.16 It is reported however, that patient information had not been compromised,17 although patients were negatively affected by the attack, one patient reported that his scheduled heart surgery had to be postponed due to the attack.18 The WannaCry ransomware attackers demanded a ransom of $300 from each of the individual computers infected with the malware, failing which, the ransom amount would double in 3 days, further, if the ransom was not paid, the data would be destroyed.19 It spread in an exponential rate on the day that it was released before it was halted by a ‘kill switch’ discovered by cybersecurity researcher Marcus Hutchins. Ironically, Hutchin was arrested 2 months later while he was in the United States for writing and distributing a banking Trojan malware which was used on one of the bigger Dark web market place AlphaBay.20 This charge is unrelated to the WannaCry ransomware breakout. The speed at which the ransomware attack propagated and its widespread reach was a cause for great concern because it highlighted the great capability of cybercrime to be far reaching and destructive 3. TARGETS OF RANSOMWARE The new dimension that ransomware has introduced is the ability to target anyone and anything indiscriminately. It thrives on being able to have a reach which has virtually no spatio-temporal boundaries. The Routine Activities Theory can assist in considering the target. The determination of target suitability is rendered by the acronym VIVA which is the Value, Inertia, Visibility, and Accessibility of the target.21 In the case of ransomware, the first issue that must be considered is who the actual target is. To determine this, it is necessary to consider the desired outcome of the attackers and not only consider the method, as that can be misleading. Locker ransomware on the one hand, uses social engineering to get the victim to pay, targeting the victim herself directly. Crypto ransomware on the other hand targets the data itself by encrypting it to force the hand of the victim to pay the offender a fine. It takes a direct approach rather than a manipulative social engineering approach that locker ransomware takes. In any case, regardless of the approach taken, the goal is to extort money or any other benefit from the victim herself and not the data nor the computer system. This is the same as in the case of a terrestrial case of extortion whereas, in the case of cyber extortion, the data held is merely used as a tool for obtaining that benefit. Therefore, while it might appear from first glance that the data or computer system is the target, upon closer inspection, it is not. Furthermore, the target does not have to be the individual target but rather, the targets can range from home users to businesses to government entities. This is presumably dependant on the capabilities of the ransomware authors and the ransomware malware itself. Home users are easy targets because they are generally not fluent with computers or do not understand what ransomware is or how it works. Additionally, home users have sensitive information, important files and documents such as photographs, work documents and so forth. Although these files are valuable, home users are also the least likely to have sufficient backup practices.22 They also have the least access to technical assistance and therefore are feel more isolated and vulnerable. They are therefore more susceptible to a social engineering attack which pressures them to pay the ransom.23 Locker ransomware is most effective on home users. (a) Value The value lies in how much the victim is willing to pay to have her data back. In many cases, the victims are unaware of the threats that exist to their data so very often they neglect to set up effective backup system if they lose their data. Knowing this, cybercriminals take advantage and demand varying ransom amounts. Many victims are unable to distinguish the varying types of ransomware and therefore, they are unaware that some forms can be removed without a ransom having to be paid. They are unfortunately more likely to resort to pay the ransom with no guarantee that their data will be restored. The ransomware authors can demand anything from a fraction of a Bitcoin to 100 BTC. (b) Inertia and Visibility In the case of cyber extortion, inertia and visibility do not apply. This is because neither the computer nor the data are targeted to be removed or copied. They are merely locked and made unavailable to the target. Furthermore, considering that the offender will not make physical contact with the target, it is unnecessary to determine whether she would offer any physical resistance. By the same token, the offender does not need to see the target to know that she exists. (c) Accessibility Accessibility has a positive correlation with target suitability. In the case of cyber extortion, the victim is easily accessible to the offender. By the offender being able to gain access to the data or computer system of the victim, the offender has direct access to her. It is interesting to note with a sense of irony that some ransomware attackers are quite user friendly when it comes to how the victim can pay the ransom. The 2016 version of the Petya ransomware had a website which the victim was directed to, that website hosted in the Tor.onion browser. The website provides the victim with explanations on what is going on with their computer and instructions on how to fix it. It has a FAQ section on the website and even has step by step instructions on where and how to buy Bitcoin and how to make the ransom payment to have the ransomware decryption key.24 Making the transaction as easy as possible for the target puts the offender in control of the situation as she is can also control her preferred method of payment. Accessibility is as much about access to the victim as it is about the ease with which the offender can get away. Bitcoin and the deep web are ideal tools for escaping relatively undetected. 4. SOUTH AFRICAN AND KENYAN RESPONSES To date, Africa has not experienced an outbreak of ransomware attacks on the scale that Europe and America has but it is only a matter of time until it does. Ransomware has shown through WannaCry that it does respect boundaries. Although South Africa did report a handful of cases of WannaCry, it has not been enough to cause great concern. This, however, will not remain the case, a large-scale ransomware attack is inevitable. Therefore, the question becomes, how ready is South Africa. This next section will be a critique of the section 10 of the South African Cybercrimes Bill and it will enlist a critique of the Kenyan Cybercrimes Act as a comparator. South Africa and Kenya are two of the superpowers of the SADC region. They are both technologically advanced and both face major cybersecurity challenges. Both countries have gone through the process of debating and proposing legislation that will deal with cybercrime and cybersecurity. Kenya has recently signed into force their cybercrimes Act in 2016 and South Africa has presented the final draft of the cybercrimes bill to parliament for debate. 5. SOUTH AFRICAN CYBERSECURITY AND CYBERCRIMES BILL This section engages with the crime of cyber extortion. Section 10 of the South African Cybercrimes Bill criminalizes cyber extortion. It makes it an offence to acquire protected data, interfere with data or a computer program, interfere with a computer or computer system or acquire or use a password, access code or related data or device or threatens another person with the commission of such offences for the purposes of obtaining any advantage from another person or compelling another person to perform or abstain from performing any act.25 Section 10 of the South African Cybercrimes Bill criminalizes cyber extortion. It provides that any person who unlawfully and intentionally (a) threatens to commit any offence; or (b) commits any offence, contemplated in sections 3(1), 5(1), 6(1) or 7(1)(a) or (d), for the purpose of (i) obtaining any advantage from another person; or (ii) compelling another person to perform or to abstain from performing any act, is guilty of the offence of cyber extortion. The cyber extortion section is the best section to deal with ransomware because it includes an additional element of intent, which is ‘to obtain any advantage from another person or compelling another person to perform or abstain from performing any act’. It elevates the conventional cybercrimes provided for in the Bill to an offence of cyber extortion by requiring special intent. Therefore, to understand this offence, it is necessary to read it together with sections 3(1), 5(1), 6(1) or 7(1)(a) or (d). These offences will be collectively referred to as ‘hacking’ offences merely for ease of reference in this article alone. To adopt an ordinary definition, hacking can be defined as gaining access to a computer, file or network illegally and without authorization.26 (a) Section 3(1) Unlawful Acquiring of Data Section 3(1) makes it an offence for any person to unlawfully and intentionally overcome any protection measure to prevent access to data; and to acquire data, within or which is transmitted to or from a computer system. This section criminalizes both the overcoming of the protection measures (such as cracking passwords) as well as acquiring27 the data thereof. This means that a person who breaks into a computer system and does not steal anything will be as guilty as a person who breaks into and does steal something. Therefore, this covers also the offenders who may merely inject malware in the computer system to remotely control it, such as in the case of creating a botnet. Any person who contravenes this provision is liable to a fine or a prison sentence not exceeding 10 years or both.28 (b) Section 5(1) Unlawful Interference With Data or Computer Program Section 5(1) makes it an offence to unlawfully and intentionally interfere with data or a computer program. It should be noted that this section refers to data or a computer program whereas section 6 below refers to computer storage medium or a computer system. These two sections are similar and can be read together. Section 6(1) makes it an offence to unlawfully and intentionally interfere with a computer data storage medium or a computer system. Interference in this provision is defined to mean to permanently or temporarily alter any resource of a computer data storage medium or a computer system. The phrase ‘interference with data or a computer program’ is defined in the Bill to mean to permanently or temporarily delete; alter; damage or deteriorate; render vulnerable, meaningless, useless or ineffective; obstruct, interrupt or interfere with the lawful use; or deny access to data or a computer program.29 Interference in section 6 adds to interrupt or impair the functioning of; confidentiality of, integrity of, or the availability of a computer data storage medium or a computer system.30 This section on its own could cover a ransomware attack because the nature of ransomware is that it renders the contents of the infected computer system ineffective and denies access to the legitimate user through encryption. This section however, does not cover the special intent that the cyber extortion provision introduces. The special intent element is desirable because it highlights the fact that different cyber acts can be classified differently to highlight their gravity. This is also important when it comes to sentencing particularly in aggravated circumstances; it provides necessary flexibility. The offences in section 5(1) and 6(1) are considered to be aggravated offences according to section 11, when they ‘(a) endanger the life or violate the physical integrity or physical freedom of, or cause bodily injury to, any person of any number of persons; (b) cause serious risk to health or safety of the public or any segment of the public; (c) causes the destruction of or substantial damage to any property; (d) causes a serious interference with or serious disruption of, an essential service, facility or system, or the delivery of any essential service; (e) causes any major economic loss; (f) creates a serious public emergency situation; or (g) prejudices the security, defence, law enforcement or international relations of the Republic (of South Africa)’.31 The aggravated offences provided for in section 11 of the South African Cybercrimes Bill are a welcomed addition in the context of a ransomware attack. One of the elements that makes them aggravated offences is when they are targeted at restricted computer systems. These restricted computer systems are defined to mean any computer program, computer data storage medium or computer system under the control of or exclusively used by any financial institution, any organ of state in South Africa or any critical information infrastructure.32 As shown above, ransomware attacks can be indiscriminate in their attack to the extent that they target anyone who operates a vulnerable device. This can range from ordinary computer users to government entities and private organizations. It is therefore important that the legislation makes provisions for everyone one the user spectrum. (c) Section 7(1) Unlawful Acquisition, Possession, Provision, Receipt or use of Password, Access Codes or Similar Data or Devices Section 7(1) makes it an offence to unlawfully and intentionally (a) acquire or (d) use a password, an access code or similar data or device33 for the purposes of contravening the provisions of sections 2(1)34, 3(1), 5(1), 6(1), 835 or 9(1).36 It is important to note that the offence of cyber extortion does not cover all of section 7(1) but rather, only covers either subsection (a) or (d). Section 7(1)(b) which provides for possession; or subsection (c) which covers providing to another person the access codes etc., are not included in the ambit of the Cyber extortion offence. This means that if an offender hacks into another person’s computer, and merely keeps for herself the passwords, access codes or similar devices or sells it to another person, she will still be guilty of the offence provided for in section 7, that is, a hacking offence, but not cyber extortion because she would lack specific intent of obtaining an advantage over another person or of compulsion. This is evidence of careful consideration by the drafters of the scope and limits of cybercrime when it comes to criminalization. (d) Penalties Section 14 of the South African Cybercrimes Bill provides for the penalties that shall be imposed on the offender upon conviction. These offences are in the same class of crimes therefore, any person who contravenes these provision is liable to a fine or a prison sentence not exceeding 10 years or to both the fine and imprisonment. The penalties clause goes further to provide that if a court finds a person guilty of an offence under section 10 (cyber extortion), it may impose a sentence in accordance with section 276 of the Criminal Procedure Act if a penalty is not prescribed for it by any other law. The court shall consider appropriate penalty to impose which is in that court’s penal Jurisdiction.37 6. KENYAN COMPUTER AND CYBERCRIMES ACT, 2016 The Kenyan Cybercrimes Act, unlike the South African Cybercrimes Bill does not have a single provision such as cyber extortion that would deal specifically with a ransomware attack. It has the general ‘hacking offences’ as seen in the South African Cybercrimes Bill which, when interpreted generously, could cover such attacks. Part II of the Kenyan Cybercrimes Act is dedicated to the offences. The key provisions in the Act are section 4 (Unauthorized Access), section 5 (access with intent to commit or facilitate further offence) and section 6 (unauthorized interference). (a) Section 4: Unauthorized Access; Section 6: Unauthorized Interference Section 4 makes it an offence to cause, either temporarily or permanently, a computer system to perform a function, by infringing security measures, with the intention to gain access. This act must be done with the knowledge that such access is unauthorized. Additionally, the Act provides that it is immaterial, for the purposes of this act, that the unauthorized access was not directed at (a) any particular program or data; (b) a program or data of any kind; or (c) a program or data held in any particular computer system.38 This section is comparable to section 3 of the South African Cybercrimes Bill as it is an unauthorized access offence. It can apply to a ransomware attack but only as far as it makes it a hacking offence, meaning that it must be treated the same way as any other cyber offence. The only offence element that is required in this section is an intention to gain access39 and nothing more. Section 6 of the Kenyan Cybercrimes Act consequently should be treated the same way in so far as it criminalizes interference40 with the confidentiality, integrity and availability of computer systems. It is an ordinary hacking crime even though it caters for bigger victims and larger consequences. Section 6(3) provides that any person who commits the offence provided for in 6(1) which results in (a) a significant financial loss to any person; (b) threatens national security; (c) causes physical injury or death to any person or; threatens public health or public safety, shall be guilty of an offence. It is comparable to the South African Cybercrimes Bill’s aggravated offences provided for in section 11. (b) Section 5: Access With Intent to Commit or Facilitate Further Offence Section 5 makes it an offence to commit an offence provided for under section 4 with the intention to commit, or facilitate the commission of a further offence under any law, by that person or another person. It provides further, that it is immaterial that the further offence is committed provided for in this section, is committed at the same time as when the access is secured or at another time.41 This section builds upon section 4 by including a secondary intention requirement to the offence of unauthorized access. This offence, it can be argued, might be the best offence to deal with a ransomware attack. However, to capture the essence of a ransomware attack which is with regard to extortion, one would have to look outside this Act and refer to section 29942 of the Kenyan Penal Code. It provides for attempts at extortion by written threat. One could argue that the message that appears on the victim’s infected computer system constitutes a written threat and therefore covers the special intent to extort. Given that the Kenyan Cybercrimes Act does not have a specific and single provision that will deal with ransomware, section 5 gives room to prosecute it in collaboration with perhaps the Penal Code. On the one hand, this is beneficial because it acts as a catch-all phrase for all the nuance manifestations of cybercrimes and possibly for cybercrimes that have not yet been invented. Although, it is unclear how far the Penal Code envisages cybercrimes and whether it can adequately prosecute them. On the other hand, it might be accused of broadening the scope of this Act too much, that is, it might suffer from a lack of specificity that is generally required of legislation. This will, of course, be left to the interpretation of the courts. Furthermore, it will mean that the offender needs to be charged under two separate laws for a single crime. This is important to note, because, a ransomware attacker typically is single-minded in her intention. She does not gain access to a computer or to data and then decide to solicit money, she gains access for the sole purpose of soliciting money. There is a nuance difference. At this point, it may be necessary to make use of a terrestrial crime to illustrate this nuance difference. A kidnapper who orchestrates the kidnapping of the child for the sole purpose of seeking a ransom, is different from a burglar who gains access to a house to steal and by chance stumbles upon a child whom he kidnaps and asks a ransom for. The burglar is committing a further offence (unauthorized access and kidnapping) whereas the kidnapper is committing a single offence of kidnapping, with unauthorized access being incidental to the commission of the specific crime. The intention of the ransomware attacker is not to gain access to a computer system or data, it is rather to use the (now encrypted) computer system or data to seek a ransom for its return. By this interpretation, applying section 5 to ransomware might prove challenging. (c) Penalties The penalty for both section 4 and section 5 is a fine not exceeding 10 million shillings or a prison sentence of 10 years or both.43 The offence in section 6 provides for a fine not exceeding 20 million shillings, or to a prison term not exceeding 20 years, or to both. 7. CONCLUSION Ransomware is a complex subset of crime and there are many nuance differences between crimes which should be accounted for if legislation is going to be effective. For example, an offender who gains access to a computer system to send spam, and offender who gains access to launch ransomware, occupy different classes of cybercrimes which is dependent on the impact on victims. Although ‘hacking offences’ and ransomware attacks involve the unlawful access into a computer system, their impact dictates that they should not be treated the same way. This means that it is equally important for legislation to be able to account for this kind of divergence and respond accordingly. The South African Cybercrimes Bill has done so by including the offence of cyber extortion. It recognizes that all ransomware attacks are ‘hacking’ crimes but that not all acts of ‘hacking’ will amount to a ransomware attack. It is there important to add the specific intent to extort as an additional requirement. The Kenyan Cybercrimes Act has neglected to add this additional requirement; therefore, a ransomware attack will be treated the same way as an ordinary ‘hacking’ offence. This means that even if the attack costs the victims a substantial amount of money and causes a considerable amount of harm as shown above, the offenders will only be held accountable as far as ‘ordinary hackers’. This is equally true even in extreme circumstances where the government or financial institutions are attacked because unlike the South African Cybercrimes Bill, the Kenyan Cybercrimes Act does not account for aggravated offences with respect to a ransomware attack. Footnotes 1 K Savage, P Coogan, and H Lau Security Response: The Evolution of Ransomware (Version 1.0 Symantec 2015) 5, Mountain View, California, USA. 2 Ibid at 7. 3 Ibid at 9. 4 Ibid. 5 Ibid. 6 Ibid at 11. 7 Ibid at 5. 8 Ibid. 9 Ibid. 10 Federal Bureau of Investigation ‘“Ransomware” Locks computer, Demand’s Payment’ (9 August 2012) https://www.fbi.gov/news/stories/new-internet-scam (1 August 2017). 11 Above n 1 at 7. 12 Ibid. 13 Europol ‘Wannacry ransomware’ https://www.europol.europa.eu/wannacry-ransomware (7 August 2017). 14 CBS News ‘Global cyberattack strikes dozens of countries, cripples U.K. hospitals’ (12 May 2017) http://www.cbsnews.com/news/hospitals-across-britain-hit-by-ransomware-cyberattack/ (8 August 2017). 15 J Sharman ‘Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France’ (13 May 2017) Independent http://www.independent.co.uk/news/uk/home-news/nissan-sunderland-cyber-attack-ransomware-nhs-malware-wannacry-car-factory-a7733936.html (8 August 2017). 16 See CBS News, above n 14. 17 BBC ‘NHS cyber-attack: GPs and hospitals hit by ransomware’ (13 May 2017) http://www.bbc.com/news/health-39899646 (9 August 2017). 18 Above n 14. 19 Ibid. 20 E Shugarman ‘Marcus Hutchins arrest: Computer expert who “helped to end NHS cyber attack” charged with malware offences in US’ (3 August 2017) Independent http://www.independent.co.uk/news/uk/home-news/marcus-hutchins-arrested-latest-us-authorities-wannacry-cyberattack-nhs-las-cegas-mccaran-a7875761.html (8 August 2017). 21 S Mabunda ‘Applying the Gordon & Ford Categorisation and the Routine Activities Theory to Cybercrime: A Suitable Target’ in P Cunningham and M Cunningham (eds) IST Africa Conference Proceedings (2017) 3. 22 Above n 1 at 13. 23 Ibid. 24 MrDevStaff ‘Petya Ransomware Demonstration’ (27 March 2016) https://www.youtube.com/watch?v=zOSI08mnfzM (5 August 2017). 25 Explanatory notes (2016) 67. 26 The Free Dictionary by Farlex. 27 The word acquire in the Bill is defined to mean to ‘use, examine or capture data or any output thereof; copy data; move data to a different location in a computer system in which it is held or any other location; or to divert data from its intended destination to any other destination’. 28 Section 14(2) of SA Cybercrimes Bill. 29 Section 5(2)(a)–(f) of SA Cybercrimes Bill. 30 Section 6(2)(a) and (b). 31 Section 11(2) 32 Sections 3(1), 5(1), 6(1) and 7(1) are all covered by section 11. 33 Password, access codes or similar data or device for purposes of this provision mean (without limitation) ‘a secret code or pin, an image, a security token, an access card, any device, biometric data, or a word string of characters or numbers, used for financial transactions or user authentication to access or use data, a computer program, a computer data storage medium or a computer system’. See section 7(3). 34 Unlawful securing of access. 35 Cyber fraud. 36 Cyber forgery or uttering. 37 Section 14(4) of SA Cybercrimes Bill. 38 Section 4(3) (a)–(c) Kenyan Cybercrimes Act (2016). 39 Access means gaining entry, or intending to gain entry into any program or data that is stored in a computer system where the person (a) alters, modifies, or erases a program or data; or (b) copies, transfers, or moves a program or data to (i) any computer system or device or storage medium other than which it is store, or (ii) to a different location in the same computer system, device or storage medium in which it is stored; or (c) causes it to be output from the computer in which it is held, whether by having it displayed or in any other manner; or uses it by causing the computer to execute a program or is itself a function of the program. 40 Mean any impairment to the confidentiality, integrity or availability of a computer system, or any program or data on a computer system, or any act in relation to the computer system which impairs the operation of the computer system, program or data. 41 Section 5(2) Kenyan Cybercrimes Act (2016). 42 Any person who, with intent to extort or gain anything from any person, and knowing the contents of the writing, causes any person to receive any writing demanding anything from any person without reasonable or probable cause, and containing threats of any injury or detriment of any kind to be caused to any person, either by the offender or any other person, if the demand is not complied with, is guilty of a felony and is liable to imprisonment for 14 years. 43 Section 5(1) Kenyan Cybercrimes Act (2016). © The Author 2017. Published by Oxford University Press. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com.

Journal

Statute Law ReviewOxford University Press

Published: Oct 28, 2017

There are no references for this article.

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create lists to
organize your research

Export lists, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off