On January 1, 2017, the State of California enacted SB 1137, a bill that made ransomware – or a type of malicious software designed to block access to a computer system until a sum of money is paid – a felony punishable by up to four years in prison.

The author of the bill, Senator Bob Hertzberg, D-Van Nuys, said in a press release “This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware. Unfortunately, we’ve seen a dramatic increase in the use of ransomware. This bill treats this crime, which is essentially an electronic stickup, with the seriousness it deserves.”

While initially popular in Russia, the use of ransomware scams has grown internationally. According to a June 2016 survey from Osterman Research, almost one out of every two participants indicated their organization had suffered an at least one ransomware attack in the past 12 months. In addition, just four percent of respondents from U.S. organizations said they were very confident in their current security’s ability to prevent a future attack

In 2016, ransomware reached a new level of maturity – in fact, the majority of malware included in phishing emails and exploit kits is currently ransomware. The increased activity has led to an evolution of ransomware. For instance, the newly-discovered Popcorn Time includes a novel and nasty twist: infected victims are given the option to pay the ransom or infect two others using a referral link. If the two new victims pay the ransom, the original target receives a free key to unlock their files.

“Extortion by ransomware is immensely costly and terrifying to victims whose data is held hostage,” says Los Angeles County District Attorney Jackie Lacey. “And when criminal hackers target hospitals, fire and rescue it threatens the public’s safety.  SB 1137 has clarified California law to make sure that a criminal who infects computers or networks with ransomware can be prosecuted for extortion.”

Let’s hope other states follow suit, and soon.