Oxford Statement on International Law Protections in Cyberspace: The Regulation of Ransomware Operations
In the past few months, nothing has reminded everyone of the etymology of the expression “computer virus” like ransomware. This form of malicious code is delivered through a vulnerability in the victim’s system, such as a phishing email or password spraying, infiltrating and potentially crippling it like a disease. Specifically, ransomware is used to encrypt user data and either delete or release that data unless a demand (commonly for money) is met. Ipso facto, ransomware causes by definition adverse consequences for its intended and unintended targets. Even when the ransom is paid or the attacker’s demand is eventually met, frequently a portion of the encrypted data will have been lost anyway and the victim may be forced to stay offline for a while, incurring significant costs to repair or change its systems. Where the victim serves others, for example, providing public goods like healthcare, education, or utilities, the adverse consequences can quickly, and foreseeably, spread beyond the ransomware’s initial targets. In other cases, the means by which ransomware is delivered — especially when delivered through or as part of a digital supply chain attack — can produce a range of cascade effects harming entities who were not the “real” target of the operation but nonetheless suffer its consequences.