Perhaps you did underestimate them, but all virus, and in particular, the more recent Ranswomare that steal your data and ask for a ransom, are against the law. Let’s see how to behave, and let’s understand when and if filing a complaint.

As a technician, expert, IT manager or consultant you’ve maybe given advice to your colleagues, friends and clients by facing legal questions related to the IT world with a practical approach, using some common sense. Unfortunately that could not be the best way to follow, at least if you want to avoid risks, damages or consequences on your activity.

Warning: while the reflections contained in this article apply to Italian law, they may or may not apply to other laws. Each specific italian term is specified in parenthesis for a better understanding.

All malware -that is, harmful software that snake into computers and IT systems to steal information, open ports for remote control and other perils, or encrypt data with an extortion aim- clearly violate the italian juridical system and who spreads them commits a crime which is subject to sanctions according to our penal code (codice penale, c.p.). In particular, there is not only an abusive access to an IT or telematic system (ex art.615 ter c.p.), but also the diffusion of devices or programs with the specific fraud (that is, consciously) of damaging, interrupting or altering any IT or telematic system, and we can also face the criminal hypothesis of art.615 quinquies c.p.; if a “damagement of information, data and programs” is present, the crime is condemned by art.635 bis c.p. with a basic punishment of detention for 6 months to 3 years, complaint presented, with respect to art.124 c.p., within 3 months to the news of the crime (otherwise, prosecution cannot be advanced).

But things worsen if we deal with the recent threats brought by ransomware, virus that encrypt files and ask for a ransom in order to have decryption keys. In this case it’s a crime, still not specified in the IT world, of extortion, which is regulated by art.629 c.p., in accordance with the indications given by the Ministry of Justice (Ministero della Giustizia). The crime of extortion if committed by “whoever, by means of violence or threat, obliging someone to do or omit something, gains himself or others an unfair profit with damage to a third party.” From that it would derive stricter penalties to the responsibles (basic penalty is detention from 5 to 10 years and a fine from 1.000 to 4.000€), in addition the crime to being prosecutable ex officio. Moreover, it would also derive, from the transfer of money of the ransom payment, the crime of laundering (riciclaggio) ex art.648 bis c.p. in charge to who has received and “used” money.

How to behave if hit by malware or ransomware?

In order to fight the ransomware phenomenon, sure react by filing a complaint against unknowns (denuncia contro ignoti) with postal police (Polizia Postale) within three months from the incident (if in doubt this particular case doesn’t fit in any punishable cases, you can still file a complaint that will also help the Authority to acknowledge that and proceed). Be careful that those are fraudulent crimes: there is no criminal hypothesis if the diffusion of the malware didn’t happen on purpose (in such case, it could be determined if there’s an unintentional behaviour by part of the -identified- responsible and, therefore, a civil responsibility and a compensation for any damages).

Some problems still remain. For instance, individuating and punishing responsibles: in the case of ransomware, despite a financial transaction is present, it’s impossible to track its origin because of the way Bitcoin, the digital value used to pay the ransom, works. Luckily sometimes such crimes are punished: a few months ago the Polizia di Stato di Trieste (italian police) lead an important operation called “Cryptowash” which started thanks to a complaint filed by a company hit by the virus.

When pondering whether to file a complaint or not, it’s important to perform a precautionary exam of your own situation. For instance you must be compliant with the actual regulations in terms of backup, disaster recovery and security measures described, in particular, by d.lgs. 196/2003 (Codice della Privacy, privacy code). If not, you could be addressed with fines and administrative or even penal measures.

Regarding the payment of the ransom, in addition of the obvious consideration that there is no assurance you’ll get the decryption keys after the payment, there’s a problem about the behaviour to maintain in order not to violate the law.
The appropriate piece of advice, as a rule of thumb, is not to pay the ransom and leverage backups to restore data (simplifying things a lot, prevention is better than the cure).
On the other hand our legal system, apart from special cases, doesn’t oblige a private citizen to file a complaint for every crime he/she is victim, however it’s true that fostering a crime is an unlawful behaviour, like somehow supporting criminals committing such crime.
After all, remember that “helping someone to ensure the product or profit or price of a crime” can be charged with the crime of facilitating (reato di favoreggiamento).
Furthermore, in the case of companies, the implications of the problems related to d.lgs.231/2001 should be analyzed more deeply, also regarding the evaluation about the payment with business resources, and to the possible imputability of the very same company for being responsible of a criminal offense with respect of the aforementioned law (“finanziamento della criminalità”, financing criminality).

The phenomenon, unfortunately, is ever growing and evolving thus needing, apart from this first general overview, continuous in-depth analysis.