Criminal Liability For Cyber Extortion Using Ransomware

02 Nov 2025 --
0 Comments

Criminal Liability for Cyber Extortion Using Ransomware

Cyber extortion via ransomware involves using malicious software to encrypt or block access to a victim’s data and then demanding a ransom (usually money or cryptocurrency) in exchange for restoring access. This is a serious cybercrime because it threatens businesses, critical infrastructure, healthcare systems, and personal data, often causing severe financial and operational damage.

Key Forms of Ransomware Cyber Extortion

Encryption Ransomware – Encrypting files and demanding payment for the decryption key.

DDoS Ransomware – Threatening denial-of-service attacks unless a ransom is paid.

Double Extortion – Encrypting data and threatening to publicly release sensitive information.

Targeted Attacks on Critical Infrastructure – Hospitals, power grids, and city services.

Automated Mass Attacks – Spreading ransomware broadly via phishing emails or malware.

Legal Grounds for Liability

Computer Crime Laws – e.g., Computer Fraud and Abuse Act (CFAA, U.S.), IT Act (India, Sections 66C, 66D, 66F)

Extortion and Blackmail Laws

Fraud, Money Laundering, and Conspiracy Statutes

Cyberterrorism Provisions (for attacks on critical infrastructure)

Penalties: Imprisonment, fines, seizure of assets, and restitution to victims.

Case Law Examples

1. U.S. v. Evgeniy Bogachev (2019) – GameOver Zeus and Ransomware

Jurisdiction: United States
Key Issue: Ransomware deployment and cyber extortion.

Facts

Evgeniy Bogachev, a Russian hacker, operated the GameOver Zeus botnet that deployed ransomware to steal personal and financial information. Victims were extorted for ransom payments in exchange for decrypting data.

Legal Findings

Charged under the Computer Fraud and Abuse Act (CFAA), wire fraud, and money laundering statutes.

U.S. authorities sought extradition and fines exceeding $100 million in restitution.

Demonstrated that cyber extortion via ransomware constitutes serious federal crimes.

Significance

First major case linking botnets, ransomware, and international cyber extortion.

Highlighted challenges in prosecuting hackers outside national jurisdiction.

2. U.S. v. Marcus Hutchins (2017) – WannaCry Ransomware Connections

Jurisdiction: United States / UK
Key Issue: Involvement in ransomware creation and distribution.

Facts

Marcus Hutchins, a British cybersecurity researcher, was implicated in developing malware that was later used in the WannaCry ransomware attack, which affected hundreds of thousands of systems globally.

Legal Findings

Pleaded guilty to malware distribution and conspiracy to commit computer fraud.

Sentenced to time served and supervised release, due to cooperation in mitigating threats.

Significance

Showed criminal liability for software development intended for ransomware distribution, even if mitigation occurs later.

Emphasized the importance of intent in ransomware-related crimes.

3. India – Andhra Pradesh Hospital Ransomware Case (2020)

Jurisdiction: India
Key Issue: Targeted ransomware attack on healthcare infrastructure.

Facts

A ransomware attack on a hospital in Andhra Pradesh encrypted patient records. Hackers demanded cryptocurrency to release the data, threatening patient safety.

Legal Findings

Charged under IT Act Sections 66C (identity theft), 66D (cheating), and 66F (cyber terrorism).

Arrests were made, and perpetrators faced imprisonment and fines.

The case marked one of the first high-profile ransomware prosecutions in India targeting hospitals.

Significance

Demonstrates liability for cyber extortion in critical services, where public safety is at risk.

Shows that Indian cyber laws include cyber terrorism provisions for ransomware extortion.

4. U.S. v. Joshua Molnar and Matthew Martini (2018) – Locky Ransomware

Jurisdiction: United States
Key Issue: Distribution of ransomware and extortion.

Facts

Molnar and Martini distributed Locky ransomware via phishing campaigns, infecting businesses and individuals, demanding payment in Bitcoin for file decryption.

Legal Findings

Charged under CFAA, wire fraud, and conspiracy to commit computer fraud.

Sentenced to 6–8 years imprisonment, along with forfeiture of illicit proceeds.

Significance

Highlights criminal liability for mass distribution ransomware campaigns.

Reinforces that phishing coupled with ransomware constitutes cyber extortion under federal law.

5. Colonial Pipeline Ransomware Attack (U.S., 2021)

Jurisdiction: United States
Key Issue: Cyber extortion targeting critical infrastructure.

Facts

The Colonial Pipeline ransomware attack shut down a major fuel supply chain in the U.S., with hackers demanding $4.4 million in cryptocurrency to restore systems.

Legal Findings

FBI identified and partially recovered the ransom paid.

While U.S. prosecutions are ongoing, the case is cited under federal extortion, computer fraud, and cyberterrorism frameworks.

Significance

Demonstrates liability for ransomware targeting critical infrastructure.

Highlights potential prosecution under cyberterrorism laws in addition to traditional extortion.

6. U.K. – WannaCry Prosecution of British Nationals (2018)

Jurisdiction: United Kingdom
Key Issue: Ransomware attack and global cyber extortion.

Facts

Several British nationals were implicated in facilitating or distributing ransomware versions of WannaCry, encrypting data and demanding Bitcoin ransoms globally.