In this digital age, it may not be out of place to say that data has replaced oil as the most valuable resource. The advancement of technology has led to the emergence of a new species of extortion, where ransom is sought in lieu of data, which is illegally assumed control over. This phenomenon is popularly known as a ransomware attack. A ransomware attack includes a malware that is introduced onto the host’s computer or mobile, thereby encrypting its data, with a subsequent demand for a ‘ransom’ for decryption of the same, to secure its release[i].
B. Modus Operandi of a Ransomware Attack
A ransomware attack entails the following five distinct phases[ii]:
- Initiation and Setup Phase – The hacker identifies the target and gathers relevant information from open public and available sources. This may also involve setting up bogus websites and/or a flurry of phishing fraudulent emails.
- Infection Phase –The attacker selects the medium of attack and uses pre-decided methods to introduce malware onto the host’s computer device.
- Encryption Phase –The malware encrypts the target data stored on the host’s servers, while deleting any backup that may be present.
- Extortion Phase – The victim usually receives a communication for the payment of the ransom amount in return for a decryption tool/ key to release the data. Such payment is often demanded through pseudo-anonymous mediums (recently through cryptocurrencies) in an attempt to prevent tracking of the transactions. Pertinently, due to the pseudo-anonymity of cryptocurrencies, coupled with the fact that it only records a public address, comprising a string of random numbers and letters[iii], cryptocurrencies are one of the preferred modes of payment of ransom for such transactions.
- Decryption Phase –The victim, if he/ she has complied with the demands of the attacker, receives a decryption tool to regain control of the data, without any guarantee.
C. Legislative Framework in India
A ransomware attack is not only penal in nature, but also directly in the teeth of the fundamental right to privacy, enshrined under Article 21 of the Constitution of India[iv]. A ransomware attack, subject to the facts and circumstances of each case, may constitute an array of offences including, criminal conspiracy, theft, extortion, cheating, dishonest inducement of property, fraudulent removal/concealment of property, mischief and/or criminal intimidation under Sections 120A, 120B, 378, 379, 383, 384, 415, 416, 417, 419, 420, 424, 425, 426 and 503 of the Indian Penal Code, 1860 (“IPC”), respectively.
However, the Indian legislature has enacted a special statute, i.e., the Information Technology Act 2000 (“IT Act”), along with rules framed thereunder to deal with electronic governance and cybercrimes. The provisions of the IT Act have an overriding effect over any other law for the time being in force[v].
A ransomware attack often results in concealment, damage, disruption, theft, alteration, deletion of data or a computer code, programme, system, network, and includes the introduction and/ or spread of virus therein. The relevant provisions of the IT Act applicable to such acts, inter alia are:
- Section 43, read with section 66: Damage to a computer/ computer system without the owner’s consent, punishable with imprisonment of up to three years or a fine or Rs. 5,00,000/- or both.
- Section 65: Tampering with computer source documents, punishable with imprisonment of up to three years or with a maximum fine of Rs. 3,00,000/-.
- Section 66D: Cheating by personation by using computer resource, punishable with imprisonment, which may extend to three years and a maximum fine of Rs. 1,00,000/-.
Additionally, there exists an obligation on a body corporate, which is in possession of sensitive personal data, to undertake and implement reasonable security practices to secure the stored data under Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. Further, the Companies (Management and Administration) Rules 2014, framed under the Companies Act 2013, also require companies to ensure that electronic records and security systems are secure from unauthorised access and tampering. In case of any information security breach, such corporations are required to show to the authorities that the prescribed security control measures had been in fact implemented[vi]. Any lapse on the part of such body corporates shall attract charges under Section 43A of the IT Act and they will be required to compensate all those affected because of such breach.
Lastly, ransomware attacks, which threaten the unity, integrity, security or sovereignty of India and/ or are targeted to strike terror in people and by means of such conduct cause or are likely to cause death or injuries/ damage/ destruction to people/ property or in any manner affect the security of the State or foreign relations, or any restricted information, data or computer database, are considered “cyber terrorism” under Section 66F of the IT Act, and are punishable with imprisonment, which may extend to life imprisonment.
It is clear that ransomware attacks are substantially covered under the IT Act and the rules framed thereunder. Provisions of both the IT Act and the IPC may be invoked in the event of a ransomware attack. However, Courts in India, in order to avoid double jeopardy and/ or any possible conflict between the two legislations, have held that since the IT Act (being a special and later enactment) contains a special mechanism to deal with the offences falling within its purview, the invocation and application of the provisions of the IPC to the same set of facts, where the ingredients of the offences under the IT Act and the IPC are the same, is not permissible[vii]. Accordingly, as observed by the Apex Court in the case of State of Uttar Pradesh v. Aman Mittal & Anr. (obiter), it may not be out of place to state that, if an offence is made out under the provisions of a special enactment like the IT Act, the same offence cannot be charged under the provisions of the IPC.[viii]
D. Remedial Infrastructure
- CERT-In: In accordance with the CERT Rules[ix], read with Section 70B of the IT Act, the Computer Emergency Response Team (“CERT-In”) has been established as a trusted agency inter-alia for responding to cyber security incidents[x]. Any individual or a corporation may report a ransomware attack with CERT-In and basis the type and severity of the incident and the resources available with CERT-In, a quick response with an aim to minimise any further damage or loss of information shall be made in the shortest possible time[xi]. Such reporting is also facilitated through an Incident Response Help Desk on a 24-hour basis, accessible on CERT-In’s official website[xii]. It is also pertinent to state that certain cybersecurity breaches, including various forms of ransomware attacks are mandatorily required to be reported to CERT-In by inter-alia body corporates and intermediaries, for timely remedial action[xiii].
- NCIIPC: The National Critical Information Infrastructure Protection Centre (“NCIIPC”) has been established under the NCIIPC Rules[xiv], read with Section 70A of the IT Act. It undertakes measures to protect the nation’s central information infrastructure (“CII”)[xv]. It is a nodal agency to provide strategic leadership and coherence across the government to respond to cyber security threats, including a ransomware attack against identified CII[xvi]. It also maintains a 24*7 helpdesk to facilitate reporting of any incidents[xvii].
- Cyber Cells: In addition to the above, in the event any individual/ corporation is a target of a ransomware attack, an FIR may be lodged with the local police station under the relevant sections of the IT Act (and/or the IPC), which shall be further investigated into by the cyber-crime cell. The Indian courts shall have the jurisdiction to conduct a trial of all the offences committed under the IT Act, as per the due procedure laid down under the Code of Criminal Procedure, 1973[xviii].
- Adjudicating Authority under the IT Act: A complaint may also be made to the Adjudicating Authority established under Section 46 of the IT Act, which has the powers of a civil court to the extent and for the purposes mentioned therein.[xix]
- Civil Suit: A person affected/ prejudiced by a ransomware attack also has the option of initiating appropriate civil proceedings in relation to the incident, under appropriate legal advice. In fact, in a recent landmark English High Court judgment, a Mareva/ freezing injunction was sought by the ransomware attack-victim, where ransom was paid in the form of crypto currency and/ or any other form of pseudo-anonymous digital currency.[xx] A Mareva injunction is an order of a court to a party or other persons, over whom the court has jurisdiction, directing the way in which the property is to be retained or dealt with so as to ensure that the property will be available to satisfy any judgement in action[xxi].
Ransomware attacks are a global phenomenon and are on the rise, across business and critical sovereign infrastructure. Ransomware attacks, and other malicious attempts to access/ steal/ control data, will only rise as more businesses go digital. Such rise in ransomware attacks has only been exacerbated by the Covid-19 pandemic, with most businesses allowing employees to work from home. As far as our foreign counterparts are concerned, the EU has established a European Data Protection Board, which has formulated guidelines, laying down a comprehensive list of examples regarding data breach notifications[xxii]. These guidelines have, inter-alia, (a) categorised ransomware attacks based on a variety of aspects, for instance, their nature and veracity, preparedness of the victim in question, prior measures and risk assessment that ought to have been carried out, and so on; (b) provided for detailed mitigation steps; and (c) laid down the obligations cast upon organisations, in possession of sensitive data.
Moreover, Singapore has enacted a comprehensive data protection law, namely the Personal Data Protection Act, 2012 (‘PDP Act’). This act sets up a Personal Data Protection Commission, entrusted with the task of administering and enforcing the data protection law, while adjudicating any proceedings that may arise under it. For instance, in a recent judgement, the commission imposed a penalty of 8000 dollars against an organisation, which was a victim of a ransomware attack due to its failure to implement reasonable security provisions for data protection as provided for under the PDP Act[xxiii].
Considering the rapid rise in cybercrimes, including ransomware attacks, and to meet the ever-increasing demand for a secure cyber infrastructure, the Government of India over time has taken several legal, technical, and administrative policy measures[xxiv]. These include inter-alia the National Cyber Security Policy (2013)[xxv], enactment of the IT Act and setting-up of CERT-In, NCIIPC, Cyber Crimes Research and Development Unit, Cyber Crime Investigation Cell, etc. Additionally, the Joint Parliamentary Committee (“JPC”) of the Lok Sabha has recently finalised and adopted the Data Protection Bill, 2021 (“DPB”). The JPC in its report dated December 16, 2021[xxvi] (“JPC Report” ), has duly recognised the fundamental role of data security and emphasised on protection against deliberate as well as any accidental loss and/ or destruction and/ or breach of data[xxvii]. The implementation of the DPB (including the recommendations of the JPC) shall be a pertinent step in fulfilling the void in India’s data security mechanism, more particularly in dealing with the menace of ransomware attacks as:
- It imposes restrictions on retention of personal data and prohibits a data fiduciary from retaining any personal data beyond the period necessary to satisfy the purpose for which it is processed. The data fiduciary is obligated to delete the personal data at the expiry of such period[xxviii];
- It deals with data breaches of both, personal and non-personal data, and casts a mandatory obligation on a data fiduciary to report a data breach as well as the remedial steps taken by it in response thereto to the Data Protection Authority (“DPA”) within 72 hours of becoming aware of such a breach. The DPA reserves the right to (i) report the said data breach to the data principal, after taking into account the personal data breach and the severity of the harm that may be caused to the data principal; and/ or (ii) direct the data fiduciary to adopt any urgent measures to remedy such breach or mitigate any harm caused[xxix]. Additionally, a data fiduciary is also obligated to inter-alia carry out data protection impact assessment, data audit and appoint a data protection officer[xxx];
- It penalizes the data fiduciary for a maximum amount of five crore rupees or two percent of its total worldwide turnover in the preceding financial year, whichever is higher[xxxi], in the event of any contravention of its obligations.
(The above is indicative and in no manner exhaustive.)
However, despite the aforestated, India remains one of the favourites and a top target for the perpetrators of ransomware attacks. In India alone, the plague of cybercrimes is rampant, with the National Crimes Records Bureau data showing that such crimes have nearly doubled from 2018 till 2020[xxxii]. There is an alarming and an urgent need for a framework for data protection to reduce vulnerabilities surrounding data security. The DPB (including the recommendations of the JPC), is still a long way from being enacted, and may be required to be further amended, more particularly to include a robust mechanism to deal with ransomware attacks. Moreover, the impact of any (potential) ban on all private cryptocurrency on such ransomware attacks (or at least the monetization of such attacks) is yet to be studied/ considered.
It’s better to be safe than sorry. Cybersecurity breaches, including ransomware attacks, are here to stay. In most cases, it’s not a question of “if”, it’s a question of “when”. To best prepare for such an incident or eventuality, organisations can consider inter alia the following to best protect themselves –
- Apply for or maintain appropriate insurance, to cover such incidents;
- Ensure all computer resources, whether connected to the internet or not, are regularly updated (including in relation to security patches);
- Take periodic backups of data, and consider storing the backup data on mediums not connected to the internet;
- Appropriately educate and train employees and individuals in the organisation in relation to such incidents, both on how to avoid and how to deal with cyber security breaches;
- Appoint appropriate security experts for network penetration testing and security audits, identify vulnerabilities and plug the gaps;
- Invest in top of the line anti-virus/ anti-ransomware software, and keep the same updated;
Even the best laid plans of mice and men oft go astray. It is therefore imperative to put in place a standard operating procedure, to be followed in the event of a cyber security breach. Some of the things an organisation must consider, as part of such SOP, are –
- Don’t panic, follow the SOP (which, ideally, should cover inter alia the following);
- Disconnect the infected computer resource(s) from the organisation’s network, and isolate the malware;
- Identify the vulnerability, and plug all leaks;
- Intimate and activate your emergency taskforce. This should ideally be a mix of internal and external IT resources, security experts/ consultants, forensic consultants, inhouse and external Counsel, Business and PR teams;
- Carry out a thorough and threadbare forensic audit of the IT infrastructure;
- Inform appropriate authorities, make necessary disclosures/ reporting and take remedial action;
- Assess exposure on account of the breach, plan and initiate a legal strategy.
*The authors were assisted by Intern, Agneya Gopinath
[i] See Alert (TA16-091A): Ransomware and Recent Variants, U.S. COMPUTER EMERGENCY READINESS
[ii] Alana Maurushat, Abubakar Bello and Braxton Bragg, Artificial Intelligence Enabled Cyber Fraud: A Detailed Look into Payment Diversion Fraud and Ransomware, 15, Indian Journal of Law and Technology, 2019, 15 IJLT (2019) 261
[iii] Kristine Johnson and Michael Garcia, Digital Currencies’ Role in Facilitating Ransomware Attacks: A Brief Explainer, 2021, https://www.thirdway.org/memo/digital-currencies-role-in-facilitating-ransomware-attacks-a-brief-explainer
[iv] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1, (Para. 309, 310, 629-636, pp. 384, 471-472)
[v] Section 81 of the IT Act
[vi] Section 85 of the IT Act
[vii] Sharat Babu Digumarti vs. Government (NCLT of Delhi); 2017 2 SCC 18, Gagan Harsh Sharma & Another vs. State of Maharashtra Through Sr. Police Inspector and Another; 2018 SCC OnLine Bom 17705
[viii] (2019) 19 SCC 740 (Para 34)
[ix] Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013
[x] Rule 8 read with Rule 9 of the CERT Rules.
[xi] Rule 11 (1) of the CERT Rules.
[xii] Rule 11(3) read with Rule 12 of the CERT Rules.
[xiii] Rule 12(1)(a) of the CERT Rules
[xiv] Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013
[xv] Rule 4(1) of the NCIIPC Rules
[xvi] Rule 4(4) of the NCIIPC Rules
[xvii] Rule 5(2)(c) of the NCIIPC Rules
[xviii] Section 46 read with Section 75 of the IT Act
[xix] Section 46(5) of the IT Act
[xx]  EWHC 3556 (Comm.)
[xxi] Liverpool and London Steamship Protection and Indemnity Association Ltd v. M.T. Symphony and others, 2003 SCC OnLine Bom 73, Para 5
[xxii] European Data Protection Board, Guidelines on Examples regarding Data Breach Notifications, 2021, https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf
[xxiii] Personal Data Protection Commission Decision, Seriously Keto Pte Ltd, Case No. DP-2006-B6449, 21/07/2021, https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision—Seriously-Keto-Pte-Ltd—14072021.pdf?la=en .
[xxiv] Ministry of Electronics and Information Technology (MeitY), Annual Report 2020-21, Internet Governance and Security of Cyber Space, Pg. 178-179.
[xxv] File No: 2(35)/2011-CERT-In, Ministry of Communication and Information Technology, Department of Electronics and Information Technology, Notification dared 02 July 2013.
[xxvi] Report of The Joint Committee On The Personal Data Protection Bill, 2019, December 2021.
[xxvii] Clause 1.3, 1.6, 1.8 and 1.10 of the JPC Report.
[xxviii] Section 9 of the DPB, Recommendation No. 32 (Clause 2.49-2.50) of the JPC Report.
[xxix] Section 13(4) and Section 25 of the DPB, Recommendation No. 46 (Clause 2.101-2.114) of the JPC Report.
[xxx] Sections 27, 29 and 30 of the DPB.
[xxxi] Section 57 of the DPB.
[xxxii]National Crime Records Bureau, Cyber Crime (2018-2020) https://ncrb.gov.in/sites/default/files/crime_in_india_table_additional_table_chapter_reports/TABLE%209A.1.pdf