A Dark Root in Cyber Space
Introduction
In today’s world, every country goes to great lengths to secure itself against online cyber threats and attacks. Recently, Dominos India has been the most recent victim of an online cyber-attack whereby the order details of 18 crore Pizza orders (which includes 130TB of worker information records and client’s details) were leaked. The online attackers who are liable for the data breach additionally made a site page on the dark web that pulls the information for any customer details. The information has been made openly accessible and anybody can look for it without any problem[1].
Witnessing the unfamous AIR INDIA- SITA BREACH case, Colonial Pipeline case, the UHBVN Ransomware attack, or the attack on Ireland’s Health service had now raised serious questions about a secure and a protected Cyber Space around the world. The hackers have developed various weapons in Cyber Space that help them to crack and break through a secure firewall, get into these systems, and steal or encrypt the user’s data.
Understanding the concept of Ransomware Software (#St.PetersburgParadox)
Ransomware (Cyber Extortion) is malicious software planted in the victim’s computer illegally either through an email attachment (in form of .exe attachments) or through corrupted video files (in form of .mp4.exe) that results in the encryption of a computer’s data till victim pays the demanded ransom. The payment demanded by such software is in the form of bitcoins. With wider availability, accessibility, and the increased use of the internet in Corporate as well as in Domestic life, sometimes results in people becoming an unfortunate victim of such Ransomware or Cyber-attacks.
History and Evolution OF Cyber Extortion Industry
The first attack (termed as PC Cyborg) took place in 1989 whereby 20,000 floppy disks were given to AIDS researchers that contained a malicious program. The software remained dormant in the victim’s PC until the user’s PC was powered on 90 times. The dormant program once activated encrypted the user’s device until the victim had made a certain amount of payment for the software lease[2]. Unlike early ransomware developers who created their encryption code, today’s attackers are developing and evolving the techniques that allow them to penetrate easily in any device and making the encryptions harder to crack. In this era, the attackers generally use Spam, Spear phishing, and Watering Hole techniques that easily infect the user’s computer instead of traditional techniques such as phishing emails or corrupt floppy disks.
The research evaluates that recovered instalment sums are rising. However, the combined expenses of harm coming from such attacks are far more terrible, nearly multiplying a year ago from an expected $11.5 billion of every 2019 to $20 billion out of 2020[3]. Generally, the victims are given a deadline for the payment, and upon non-payment, either the files are destroyed, or ransom is doubled.
Crypto Locker was the most lethal and profitable malware attack of its time. The report showed that between September and December 2013, the software had infected more than 2,50,000 systems. However, when the recovery of encrypted files compromised by the malicious software was made possible, it led to the birth of other ransomware software like Crypto Wall and Torrent Locker. Till 2016, Crypto Wall was used, targeting many Business corporations. In 2015, Crypto Wall had extracted over $18 million from the victims.
In 2015, nearly 160 individuals were affected by another software named Tesla Crypt, therefore, extracting $76,522 from those victims. The people were made to pay the ransoms in Bitcoins. The reports also showed that the victims were sometimes used digital wallet apps like PayPal or My Cash cards[4].
Also Read: Custodial violence and the hypocritical silence
Existing Cyber- Laws to combat with Cyber Extortion Attack in India
With the world’s increased dependence upon the Internet and the rapid development of cyberspace, there has been a rapid rise in network-related crimes. The countries witnessing increasing cases of hacking, data theft, ransomware attacks, cyberstalking, obscenity, and child pornography, etc. around the world, India enacted the Information Technology Act, 2000 to combat cybercrimes. Before the Information Technology Amendment Act, 2008, the statute was incompetent to handle and deal with the offenders of Cybercrime. Although the statute did give legal recognition to electronic commerce but failed to deal with Network related Crimes.
However, with the evolution and the rapid development of Network related crimes, an amendment to the Information Technology Act, 2000 was introduced and it led to major changes like –
- Amended older provisions and introduced new provisions in the Indian Evidence Act, 1872
- Covered and defined a wide variety of Technology-Enabled Crimes.
- Providing the Government of India with the power of surveillance, monitoring and blocking data traffic.
Therefore, with the Information Technology (Amendment) Act, 2008, the IT act became dynamic in nature and capable enough to penalize the Cyber Criminals.
The following are the provisions in the Information Technology Act, 2000 that penalize cybercriminals (punishment for the offense ranging from two years to life imprisonment, and a fine, or both) and prevent ransomware attacks in India.
यह भी जानें:
Punishment under Information Technology Act, 2000
In a Ransomware attack, if the attacker had infected the victim’s computer or any device with computer virus or worms, or had breached the victim’s privacy, the offender will be charged with Section 43 (c) and 43 (e) read with Section 66 of the Information Technology Act, 2000.
Section 66E. Punishment for violation of privacy -: Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both[5].
In a Ransomware attack, if the attacker had infected the victim’s computer or any device with computer virus or worms, the offender will be charged with Section 43 (c) and 43 (e) read with Section 66 of the Information Technology Act, 2000.
Section 66F. Punishment for cyber terrorism -: (1) Whoever, –
(A) with intent to threaten the unity, integrity, security, or sovereignty of India or to strike terror in the people or any section of the people by–
(i) denying or cause the denial of access to any person authorised to access computer resource; or
(ii) attempting to penetrate or access a computer resource without authorisation or exceeding authorised access; or
(iii) introducing or causing to introduce any computer contaminant,
and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70; or
(B) knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer data base that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer data base, with reasons to believe that such information, data or computer data base so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise,
commits the offence of cyber terrorism.
(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life[6]
Section 70. Protected system -: (1) The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system[7].
Section 72. Penalty for Breach of confidentiality and privacy -: Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both[8].
Punishment Under Indian Penal Code, 1860
During Ransomware attack, whereby offender had infringed the victim’s right to privacy and had committed the offense of voyeurism against the plaintiff, the accused will be held liable under Provision 354 C of Indian Penal Code, 1860.
354C. Voyeurism.—Any man who watches, or captures the image of a woman engaging in a private act in circumstances where she would usually have the expectation of not being observed either by the perpetrator or by any other person at the behest of the perpetrator or disseminates such image shall be punished on first conviction with imprisonment of either description for a term which shall not be less than one year, but which may extend to three years, and shall also be liable to fine, and be punished on a second or subsequent conviction, with imprisonment of either description for a term which shall not be less than three years, but which may extend to seven years, and shall also be liable to fine[9].
If the accused had installed a ransomware software in the plaintiff’s device illegally and without his/her consent, the defendant will be charged under Provision 426 and 427 of Indian Penal Code, 1860.
Section 426. Punishment for mischief. -Whoever commits mischief shall be punished with imprisonment of either description for a term which may extend to three months, or with fine, or with both.
Section 427. Mischief causing damage to the amount of fifty rupees. – Whoever commits mischief and thereby causes loss or damage to the amount of fifty rupees or upwards, shall be punished with imprisonment of either description for a term which may extend to two years, or with fine, or with both[10].
Apart from the criminal liability, the action of the Ransomware attack to a plaintiff’s device may even impose a Civil liability on the accused. The accused can be booked under the offense of Trespass to Goods. Since a ransomware attack is the intentional harm to the victim’s computer without his/her consent, the offense could be triggered, and the accused will be charged with the offense.
Conclusion
The Cyber Crime has been the only part of Criminal industry that has promised staggering results. As we notice, at least every country’s individual as well as business corporations has been the victim of the Cyber Crime Industry. The malicious software or Ransomware that has been planted in the victim’s computer had resulted in attackers not only getting their demanded ransom but left a real picture of the Ransomware Industry in the world. It is high time that each country must adopt new means and to re- strengthen their laws to fight with these online threats and malicious software. As we have witnessed several instances wherein India’s business corporations have become subject to this Ransomware industry, and if proper measures are not adopted then the industry would itself become influential enough to significantly impact the nation’s future economy and security.
