RANSOMWARE NEGOTIATIONS: SHOULD PAYING HACKERS BE CRIMINALIZED?

ABSTRACT                           

The rise of an evolving critical cyber threat, the ransomware negotiation, has triggered an intense debate around the legal clarity and morality of negotiating with cybercriminals. This article deeply explores whether paying ransoms should be criminalised, particularly in the Indian context, with some comparative analysis with the legal frameworks of other countries. It also analyses the legal grey areas, policy vacuums, and ethical dilemmas around those negotiations. This article also analyses the practical challenges of dealing with these cybercrimes by the victims, which include their pressure to restore access to critical data and avoid reputation damage. Through legal research and a review of Indian laws, this article highlights the urgent need for rigid laws, stronger cyber defences, and respective policy interventions to tackle the ransomware threats.

INTRODUCTION

In the current digital era, cybercrimes have appeared as one of the biggest security risks to individuals, organizations, and governments. Cybercrimes are one of the biggest security threats facing individuals, businesses, and governments in the current digital era. Ransomware assaults have quickly emerged as one of the most serious threats, capable of destroying a person’s financial security and reputation. By encrypting information and holding computers hostage, malicious ransomware forces victims to pay attackers a ransom, typically in bitcoin. Ransomware assaults, which target anything from government systems and hospitals to schools, large enterprises, and small businesses, have grown quite frequent in cybercrime in recent years. These attacks might have disastrous consequences, including monetary loss, damage to one’s reputation, closures of operations, and possibly even threats to public safety. Attackers frequently use software defects, faulty links, or emails to take advantage of weaknesses. They demand large sums of money to decode data and fix systems when they obtain the victim’s information. Ransomware attacks have dramatically grown in India as a result of claims of escalating cyber blackmail in a number of businesses. Data sensitivity is increased by these attacks, which are mostly caused by India’s growing reliance on digital platforms and its inadequate cybersecurity. This essay explores the crucial question of whether it should be illegal to compensate hackers during ransomware discussions. It will examine legal systems throughout the world and in India, present counterarguments, and assess moral and policy challenges, particularly in the Indian context.

THE LEGAL LANDSCAPE: GLOBAL AND INDIAN PERSPECTIVE

1. EXISTING INDIAN LAWS DEALING WITH CYBER EXTORTION:

There are significant laws in India for dealing with crimes related to cyber extortion, such as:

• CONSTITUTIONAL PROVISIONS

Many victims affected by ransomware attacks have the protection of the Right to Privacy, Security, and Protection of personal data^[1]. Additionally, ransomware attacks frequently impact governance and the Right to access information, which is protected under Article 19^[2]. Many other rights of victims were affected by ransomware attacks, including the infringement of the freedom to practice any profession, violation of the right to equality, and contravention of public policies and social welfare, as well as the payment of ransom for unregulated cryptocurrencies.

• THE INFORMATION TECHNOLOGY (IT) ACT, 2000

 The IT Act is a legal framework proposed to deal with cybercrimes and electronic commerce^[3]. It also promotes the lawful conduct of digital transactions and reduces cybercrimes. Some of the provisions of this act address cyber extortion, including imposing liability on attackers for unauthorized access, downloading the victim’s data unethically, introducing malicious software to damage computer systems with the intent of dishonesty and fraud, and also penalizing such attackers.

• BHARATIYA NYAYA SANHITA (BNS), 2023

  BNS is an official new form of the Indian Penal Code (IPC), 1860, which aims to modernize India’s criminal justice system by addressing technological advancements and social needs. It always has the key responsibility to ensure justice for the victims affected by criminal activities. In the context of cyber extortion, BNS has key provisions to deal with, such as punishment for the act of ‘Extortion’, and the crime of ransomware attacks by attackers is also charged as ‘Organised crime’^[4].

2. COMPARISION ANALYSIS OF INDIAN LAWS WITH OTHER COUNTRIES:

• UNITED KINGDOM (UK)

While the UK doesn’t have a separate law to regulate ransomware payments, its legislature indirectly regulates such payments with statutes, namely the Proceeds of Crime Act, 2000^[5]; Terrorism Act, 2000^[6]; and Guidance of National Cyber Security (NCSC)^[7]. Though these acts cannot criminalize ransom payments, they can make those payments risky, especially if the activities were linked to terrorism or organised crime.

• UNITED STATES OF AMERICA (USA)

The USA has strict regulations and enforcement mechanisms dealing with ransomware negotiations, with rigid laws like OFAC (Office of Foreign Assets Control) Advisory, 2020^[8], and the Cyber Incident Reporting for Critical Infrastructure Act, 2022^[9]. While ransom payments are not criminalised universally, payments to ransom groups are strictly prohibited, and mandatory reporting requirements make ransomware negotiations more transparent, which helps to prevent such ransom payments.

• INTERNATIONAL CONVENTIONS

 Although the international conventions do not explicitly regulate ransom payments, some conventions indirectly shield people from such attacks, such as the Budapest Convention on Cybercrime (2001)^[10], the Paris Call for Trust and Security in Cyberspace (2018)^[11], and the OECD Recommendations on Countering Ransomware (2021)^[12]. Despite these conventions, strong laws and enforcement mechanisms are needed for the world to prevent ransomware negotiations and strengthen cyber defence.

• COMPARISON WITH INDIAN LAWS

 Compared to the laws of the UK and the USA, India lacks explicit legal provisions governing ransom negotiations^[13]. The UK permits such payments but strictly imposes regulations, particularly prohibiting payments to terrorists or entities sanctioned under UK law. In the USA, ransom payments are not explicitly illegal, but ransom payments to the sanctioned groups are strictly prohibited, similar to the UK. Moreover, both the UK and the USA emphasize mandatory reporting and preventive measures; India lacks these reporting requirements, which results in leaving the victims in a regulatory grey area.

ETHICS AND POLICY DILEMMAS                                                                  

1. SHOULD VICTIMS BE BLAMED FOR PAYING RANSOM?

 Nowadays, the act of paying ransom in ransomware attacks triggers ethical debates. On one side, victims affected by cyber extortion pay a ransom to regain access to their data. On the other side, such ransom may fund organised crime or terrorism either directly or indirectly^[14]. Countries like the USA strictly make a stand against ransom payments, as well as the UK, by treating such payments as potentially illegal under their laws. Apart from that, India lacks a specific legal stance, which makes it more difficult to hold attackers liable for such cybercrime^[15].

2. DUTY TO REPORT ATTACKS VS. FEAR OF REPUTATIONAL DAMAGE:

Victims have to make mandatory reporting of ransomware incidents, which helps to enhance law enforcement even better to prevent future attacks for others as much as possible. But people and other organisations often have the fear of reputational damage^[16] and regulatory scrutiny. In India, there is a lack of mandatory reporting of ransomware attacks to the government, which leads to a policy gap, making attackers immune to regulations.  

3. CAN LEGISLATIVE BODIES REGULATE RANSOMWARE NEGOTIATIONS?

In recent days, there has been a growing trend of regulating ransomware negotiations by governments of different nations. For instance, the USA indirectly controls ransomware payments through its sanctions frameworks. The legal regimes of the UK strongly prohibit payments linked to organised crime or terrorism. Despite these, India has no explicit laws regulating ransomware negotiations^[17], but it should introduce laws to either ban, regulate, and monitor those cybercrimes which is practically possible.

4. ROLE OF CYBER-INSURANCE:

 Cyber-insurance plays a crucial role for the victims affected by ransomware negotiations by helping them to recover data access from attackers, covering various expenses related to security incidents, such as payouts for data breaches, affected operational costs, and system restoration. In countries like the USA, the UK, and the EU, insurers have restrictions when ransom payments violate their laws. But in India, the cyber-insurance market is evolving slowly, and the absence of legal clarity on ransomware negotiations creates ambiguity. Introducing new policies to regulate ransomware attacks creates guidelines for the scope of cyber-insurance in India^[18].

CHALLENGES IN RANSOMWARE NEGOTIATION: THE INDIAN COMTEXT

1. GROWING VULNERABILITY TO RANSOMWARE:

 India’s rapid growth in digitalisation also leads to expanding opportunities for ransomware attackers. Confidential data of healthcare, banking, education^[19], and governmental organisations was frequently targeted by ransomware attacks. The main reason for vulnerability is due to over-reliance on digital infrastructures^[20].

2. ABSENCE OF AWARENESS AMONG PEOPLE:

There is a lack of public awareness among the public, business organisations, and even governmental entities because of poor basic cyber hygiene and disciplinary practices. There are other reasons for the lack of awareness, such as low literacy rates, lack of proper knowledge about cybersecurity^[21], and so on.

3. WEAK CYBERSECURITY INFRASTRUCTURE

 India has an inadequate strength of its cyber defence infrastructure, as SMEs (Small and Medium Enterprises) and smaller organizations operate with poor cyber hygiene. Cybersecurity laws like the IT Act (2000) often have inadequate provisions to deal with ransomware negotiations^[22].

4. LIMITED INTERNATIONAL CO-OPERATION:

Ransomware attacks often affect people worldwide in this digital era. However, India’s participation in international cybercrime frameworks remains limited. This limited involvement results in less aid and assistance from other countries for damages caused by ransomware attacks^[23].

5. INADEQUATE MANDATORY REPORTING:

 Nowadays, ransomware attacks are occurring at a significantly high rate, and many incidents go unreported due to the fear of reputational damage among people^[24]. As a result, the government cannot effectively contribute to preventing ransomware negotiations. Other reasons for the lack of mandatory reporting include poor knowledge about cybersecurity, lack of awareness about ransomware negotiations, and so on

RECOMMENDATIONS

1. CREATING AWARENESS NATIONWIDE:

 The government should create programs to create awareness about cyber-hygiene for individuals, businesses, and governmental organisations to protect their data from ransomware attacks^[25].

2. CLARIFYING LEGAL GUIDELINES:

 Ransom negotiations can be hindered by strict and rigid laws without any grey areas, by formulating or modifying cyber-related laws^[26]. It can be done by finding and filling loopholes in laws, imposing a duty on citizens for incident reporting, formulating schemes for compensation of data loss, and so on.

3. STRENGTHEN CYBER DEFENCE:

 Our nation critically lacks a strong cyber-defence, and it should be strengthened by investing funds, enhancing the capacity of the CERT (Computer Emergency Response Team), and other cybersecurity agencies to tackle such ransomware threats^[27].

4. MANDATING INCIDENT REPORTING:

The government must educate people for mandatory reporting by taking efforts like making confidential of victims’ credentials, which helps them to overcome the fear of reputational damage, creating an ombudsman to collect complaints about the ransomware incidents, and empowering enforcement mechanisms to terminate ransomware negotiations.

5. INTERNATIONAL CO-OPERATION:

 Ransomware attacks have become a worldwide threat. So, we should engage with global cybersecurity programs, which leads to strengthening cyber defence globally, protecting from ransomware negotiations^[28].

CONCLUSION

Ransomware attacks have become more frequent and violent, as the dilemma over criminalising ransom payments remains complex. While criminalisation of ransomware negotiations can stop future ransom payments, it may end in endangerment of victims who have no other remedies. In this modern era, India lacks explicit legal provisions addressing ransomware negotiations. But on the other hand, other countries like the UK and the USA were making a strong stand against ransomware payments through sanctions and reporting obligations. India should follow a balanced approach, including legal clarity, mandating the ransomware incident report and response mechanisms, and investing in strengthening cyber defences.

REFERENCES

1. Information Technology Act 2000, ss 43, 66, 66F.
2. Bharatiya Nyaya Sanhita 2023, ss 69, 113.
3. Justice K.S. Puttaswamy (Retd.) v Union of India (2017) 10 SCC 1.
4. Constitution of India, arts 14, 19, 21.
5. Proceeds of Crime Act 2002 (UK).
6. Terrorism Act 2000 (UK).
7. National Cyber Security Centre (UK), Guidance on Ransomware and Extortion Attacks (2021).
8. US Department of the Treasury, OFAC Advisory to Companies Regarding Ransomware Payments (2020).
9. Cyber Incident Reporting for Critical Infrastructure Act 2022 (USA).
10. Council of Europe, Convention on Cybercrime (Budapest Convention) ETS No 185, 2001.
11. Paris Call for Trust and Security in Cyberspace (2018).
12. OECD, Recommendations on Countering Ransomware (2021).
13. Ministry of Electronics and Information Technology (MeitY), National Cyber Security Policy (2013).
14. Rajeev Chandrasekhar, ‘India’s Growing Cybersecurity Risks’ (MeitY, 2023).
15. Raghavan P, ‘Ransomware Attacks Rise in India: Cybersecurity Preparedness Still Low’ The Hindu (July 2022).
16. United Nations Office on Drugs and Crime, The Global Threat of Cybercrime (UNODC, 2020).
17. NITI Aayog, India’s Approach to Data Protection and Cybersecurity (Policy Paper, 2021).
18. CERT-In, Cyber Incident Reporting Guidelines for Service Providers, Intermediaries, Data Centres, and Government Organisations (India, 2022).
19. ENISA, Cyber Insurance: Recent Advances and Challenges (European Union Agency for Cybersecurity, 2021).
20. S Subramanian, ‘The Ethics of Paying Ransoms in India’s Cyber Landscape’ Economic & Political Weekly (Vol 57, No 10, 2023).

[1] Constitution of India, art 21.

[2] Constitution of India, art 19(1)(a)

[3] Information Technology Act 2000, ss 43, 66, 66B, 66C, 66D, 70.

[4] Bharatiya Nyaya Sanhita 2023, ss 303, 111 (Organised Crime).

[5] Proceeds of Crime Act 2002 (UK).

[6] Terrorism Act 2000 (UK).

[7] National Cyber Security Centre, ‘Ransomware Guidance’ (2021).

[8] US Department of the Treasury, Office of Foreign Assets Control, ‘Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments’ (1 October 2020).

[9] Cyber Incident Reporting for Critical Infrastructure Act 2022 (US).

[10] Convention on Cybercrime (adopted 23 November 2001, entered into force 1 July 2004) ETS No 185.

[11] Paris Call for Trust and Security in Cyberspace (2018), French Ministry for Europe and Foreign Affairs.

[12] OECD, ‘Recommendation on Countering Ransomware’ (2021).

[13] Arvind Ramesh, ‘Comparative Legal Approaches to Ransomware Crimes: India, US, and UK’ (2023) 6 National Law Review.

[14] Office of Foreign Assets Control (n 10); Terrorism Act 2000 (UK) (n 8)

[15] Ramesh (n 15).

[16] Financial Times, ‘Firms Fear Reputational Damage More than Financial Loss from Cyberattacks’ (15 February 2022).

[17] R Mitra, ‘Legal Regulation of Ransomware in India: A Missed Opportunity?’ (2023) 18 Indian Journal of Law & Technology.

[18] Gartner, ‘Market Guide for Cyber Insurance’ (2022).

[19] National Crime Records Bureau, ‘Cyber Crime Report’ (2022).

[20] Press Information Bureau, ‘Digital India Programme – Achievements and Gaps’ (2023).

[21] NASSCOM-DSCI, ‘Cybersecurity Workforce Demand in India’ (2024).

[22] Information Technology Act 2000, ss 43, 66, 66B, 66C, 66D, 70.

[23] Economic Times, ‘India’s International Legal Commitments on Cybersecurity Still Nascent’ (July 2023).

[24] Financial Times (n 18); Mitra (n 19).

[25] Ministry of Home Affairs, ‘Cyber Crime Coordination Centre (I4C): Annual Report’ (2022).

[26] Information Technology Act 2000 (n 5); BNS 2023 (n 6).

[27] CERT-In (n 25).

[28] United Nations Office on Drugs and Crime, ‘International Cooperation in Cybercrime Investigations’ (2020).