By: Asaf Lubin
What do Lady Gaga, the Royal Zoological Society of Scotland, the city of Valdez in Alaska, and the court system of the Brazilian state of Rio Grande do Sul all have in common? They have all been victims of ransomware attacks, which are growing both in number and severity. In 2016, hackers perpetrated roughly four thousand ransomware attacks a day worldwide, a figure which was already alarming. By 2020, however, ransomware attacks reached a staggering number, between twenty thousand and thirty thousand per day in the United States alone. That is a ransomware attack every eleven seconds, each of which cost victims on average nineteen days of network downtime and a payout of over $230,000. In 2021 global costs associated with ransomware recovery exceeded $20 billion. This Article offers an account of the regulatory challenges associated with ransomware prevention. Situated within the broader literature on underenforcement, the Article explores the core causes for the limited criminalization, prosecution, and international cooperation that have exacerbated this wicked cybersecurity problem. In particular, the Article examines the forensic, managerial, jurisdictional, informational, and resource allocation challenges that have plagued the fight against digital extortions in the global commons. To address these challenges, the Article makes the case for the international criminalization of ransomware. Relying on existing international regimes––namely, the 1979 Hostage Taking Convention, the 2000 Convention Against Transnational Crime, and the customary prohibition against the harboring of terrorists––the Article makes the claim that most ransomware attacks are already criminalized under existing international law. In fact, the Article draws on historical analysis to portray the criminalization of ransomware as a “fourth generation” in the outlawry of Hostis Humani Generis (enemies of mankind). The Article demonstrates the various opportunities that could arise from treating ransomware gangs as international criminals subject to universal jurisdiction. The Article focuses on three immediate consequences that could arise from such international criminalization: (1) expanding policies for naming and shaming harboring states, (2) authorizing extraterritorial cyber enforcement and prosecution, and (3) advancing strategies for strengthening cybersecurity at home.