The latest worldwide cyber-attacks once again raised awareness of the problems of cyber-crime and digital extortion. Recently several hospitals, banks, telecommunication- and other companies were subject to a so called "WannaCry ransomware attack". This refers to a hacker-attack through a computer virus named "ransomware cryptoworm" which targets computers running the windows operating system by encrypting data and demanding ransom payments.
Digital extortion can be defined as the illegal access of a computer system by overcoming security measures, planting malware to encrypt data and subsequently demanding ransom payment for decrypting it.
Cyber-attacks constitute criminal violations according to the Austrian Criminal Code ("ACC"). The classification of these hacker attacks has however proven to occasionally cause some difficulties.
Generally, any person who gains access to a computer system, which the person is not authorized to use (or not authorized to use by himself/herself) or who partially gains access to a computer system by overcoming specific security settings may be committing a criminal offence according to sec 118a ACC. This provision is also referred to as the "hacking provision" of the ACC. Notwithstanding this, although planting a so called "cryptoworm" on a computer complies with the physical element of the offence, additional elements of the provision require the offender to act with dishonest intent to (i) obtain personal data or (ii) use the knowledge of the obtained data to the disadvantage of a third party. With regard to the recent "WannaCry ransomware attack" the respective computer systems were indeed illegally accessed, the offender however only encrypted the data on the computer; personal data was not obtained or used in the meaning of sec 118a ACC. In case of a "ransomware cryptoworm" attack the elements of an offence of sec 118a ACC are therefore not entirely fulfilled.
Since a victim is not able to access its own data after a "cryptoworm attack" – at least for a certain period of time – a criminal offence may also result from sec 126a ACC (damage to electronic data). Besides altering, deleting and rendering useless data this provision also covers its suppression.
In case the "cryptoworm attack" causes disruption to the attacked computer system a criminal offence may also derive from sec 126b ACC. With regard to digital extortion this is however typically not the case.
The demand of ransom payment in return for decryption of the encrypted data constitutes a prominent element of the "WannaCry ransomware attack". Therefore, as the offender threatens the victim with continuing the suppression of data and coerces the victim into making the ransom payment, the crime of (digital) extortion according to sec 144 ACC is fulfilled.
Although the attack on monetary funds is broadly protected by Austrian criminal law, also with regard to cyber-attacks such as digital extortion, Austrian criminal law still lacks full protection against preparatory measures to this criminal offence e.g. illegal accessing of a computer system.