Statutory Framework

Section summary§1030(a)(5) has three subsections covering intentional damage, reckless damage, and unauthorized access causing damage.

§1030(a)(5) subsections:

  • (A) Intentional access and intentional damage.
  • (B) Intentional access and reckless damage.
  • (C) Intentional access causing damage and loss.

Ransomware

Section summaryRansomware deployment falls squarely within §1030(a)(5). The encryption of data constitutes damage; the ransom demand can ground separate extortion charges.

Ransomware analysis:

  • Encryption constitutes damage to data.
  • Demand can ground separate extortion charges (Hobbs Act, etc.).
  • International coordination common.
  • Sanctions implications for ransomware operators in certain jurisdictions.

DOS Attacks

Section summaryDenial-of-service attacks fall within §1030(a)(5). Disruption of service constitutes damage.

DOS analysis:

  • Distributed DOS (DDoS) and simple DOS both covered.
  • Service disruption is damage.
  • Loss includes business interruption.
  • Provider tools (booters, stressers) themselves criminal.

Sentencing

Section summarySentences scale with damage. Up to 1 year for minor damage, up to 10 years for substantial damage, up to 20 years for major damage and certain critical-infrastructure cases.

Sentencing tiers:

  • Up to 1 year (low damage).
  • Up to 5 years (moderate).
  • Up to 10 years (significant).
  • Up to 20 years (major/critical infrastructure).
  • Up to life (death resulted).

Critical Infrastructure

Section summaryCritical-infrastructure cases (utilities, financial systems, healthcare) receive enhanced sentencing. The Department of Justice has special focus on these cases.

Critical infrastructure:

  • Utilities (power, water, gas).
  • Financial systems.
  • Healthcare systems.
  • Transportation systems.
  • Government systems.

Need defense counsel?

L&L Law Group, PLLC handles Computer Crimes Defense cases throughout DFW. Initial consultations are free.

Call (972) 370-5060 →

Forensic Foundation

Data Damage and Ransomware cases turn on digital-forensic evidence: device images, file metadata, network logs, cloud-account records, malware reverse engineering, and attribution analysis. Counsel handling a ransomware or data-damage case must engage with the forensic record at a technical level, not just legal level.

The defense's threshold task is review of the government's forensic methodology. Was the device imaged using accepted procedures? Was the image hash-verified against the original? Did the examiner have appropriate certifications? Did the analysis follow the examiner's lab's standard operating procedures? Each step in the chain produces potential challenges at hearing and trial.

Where the case turns on contested forensic findings, the defense should retain an independent examiner. The defense expert reviews the government's work, performs parallel analysis where possible, and is available to testify if needed. Funding for defense experts is available in federal cases under the Criminal Justice Act (18 U.S.C. §3006A) and in Texas indigent cases under Code of Criminal Procedure Article 26.05.

Van Buren and Authorization Screen

The Supreme Court's decision in Van Buren v. United States, 593 U.S. 374 (2021), reshaped the CFAA "exceeds authorized access" analysis. The Court held that the statute applies only where the defendant accessed an area of a computer system they were not entitled to enter at all — not where they had credentials but used them for an improper purpose. The "gates-up-or-down" inquiry asks whether the user could or could not access the specific area, not why they accessed it.

For a ransomware or data-damage case (where authorization is in issue), the defense must screen the indictment against the post-Van Buren framework. Cases built on theories that the defendant misused authorized access — rather than entering a system they had no right to enter — should be evaluated for dismissal under Van Buren. Many CFAA charges filed before 2021 survived only because the law had not yet been clarified; charges filed since must satisfy the gates-up-or-down standard.

The defense should also consider whether parallel state charges (Texas Penal Code §33.02) provide the same protection. Texas "effective consent" analysis under Chapter 1 of the Penal Code is broad. A defendant who had colorable authorization — an unrevoked password, a shared account, an implied license — has a defense to the access element under state law that runs parallel to the federal Van Buren analysis.

The data damage framework under federal law

The federal framework for data damage and ransomware prosecution centers on 18 U.S.C. Section 1030(a)(5), which criminalizes intentional damage to protected computers. The provision has three subsections that reach different forms of damage. Section 1030(a)(5)(A) reaches knowing transmission of a program, information, code, or command that causes damage without authorization. Section 1030(a)(5)(B) reaches intentional access without authorization that causes damage. Section 1030(a)(5)(C) reaches intentional access without authorization that causes damage and loss.

The damage definition under 18 U.S.C. Section 1030(e)(8) includes any impairment to the integrity or availability of data, a program, a system, or information. The definition is broad and reaches most forms of unauthorized system modification including encryption of data in ransomware attacks, deletion of files, modification of system configurations, and installation of malware that affects system operation. The breadth of the damage definition makes Section 1030(a)(5) the primary federal vehicle for ransomware prosecutions.

The loss requirement under various Section 1030(a)(5) provisions includes the cost of responding to the offense, the cost of conducting a damage assessment, restoring the data or system to its prior condition, lost revenue, and other consequential damages. The loss calculation can produce substantial values in ransomware cases because the response costs and the business impact can be very large even for relatively modest underlying damage. The loss requirement is met in essentially every significant ransomware case.

Ransomware-specific charging considerations

Ransomware prosecutions typically involve multiple charges beyond the underlying data damage offense. Wire fraud charges under 18 U.S.C. Section 1343 reach the use of interstate communications to extort payment from victims. Hobbs Act extortion charges under 18 U.S.C. Section 1951 reach the use of fear of economic harm to obtain property. Money laundering charges under 18 U.S.C. Section 1956 reach the processing of ransom payments through complex financial structures.

The international dimension of most ransomware cases adds significant procedural complexity. Many ransomware actors operate from foreign jurisdictions, which raises extradition issues, mutual legal assistance treaty considerations, and venue questions. The federal government has developed substantial international cooperation arrangements for ransomware prosecution, but the practical pursuit of foreign-based actors remains challenging. Domestic conspirators including money mule operators, money launderers, and other support actors are often the primary targets of effective domestic prosecution.

The Office of Foreign Assets Control sanctions framework adds another layer to ransomware prosecution. OFAC has designated specific ransomware groups and their associated cryptocurrency addresses, making it illegal under federal sanctions law to pay ransom to those groups. The sanctions framework affects both prosecution targeting and the victim response options. Victims who pay ransoms to sanctioned groups can face substantial federal penalties in addition to the underlying loss.

The defense framework for ransomware-adjacent cases

The defense framework for ransomware-adjacent cases includes defendants who may have been involved in support roles rather than the primary attack execution. Money mule operators who processed ransom payments may not have known the underlying nature of the funds. Cryptocurrency exchange operators who facilitated ransom payment processing may have substantial defenses based on regulatory compliance and willful blindness analysis. Each role has specific defense considerations.

The factual development in support-role cases focuses on the defendant knowledge of the underlying scheme. The mens rea requirements for the various charges typically require knowing or intentional conduct, and a defendant who was unaware of the ransomware nature of the underlying payments may have viable defenses. The defense should develop the specific factual record about the defendant interactions with the alleged co-conspirators and the defendant available information about the source and purpose of the funds.

The cryptocurrency analysis is central to most ransomware-adjacent cases. The defense should engage cryptocurrency forensic experts who can analyze the blockchain transactions and identify the specific flows of funds. The expert analysis can identify the defendant role in the broader scheme, distinguish the defendant transactions from clearly criminal transactions, and develop alternative interpretations of the financial activity. The cryptocurrency analysis is technically demanding but can be central to the defense theory.

Sentencing and the international cooperation framework

The federal sentencing for ransomware and data damage cases under USSG Section 2B1.1 produces high offense levels driven by the loss amount, the number of victims, the use of sophisticated means, and other specific characteristics. Aggravated cases involving critical infrastructure, vulnerable victims, or substantial harm produce offense levels that can result in decades of imprisonment for the most serious offenders.

The international cooperation framework affects both prosecution and sentencing. Defendants who cooperate with international law enforcement can earn substantial sentencing reductions under USSG Section 5K1.1. The cooperation can include identifying co-conspirators in foreign jurisdictions, providing technical information about ransomware operations, and assisting with the recovery of victim funds. The cooperation can produce sentence reductions of 30 to 50 percent or more in substantial cases.

The restitution and forfeiture frameworks add substantial financial consequences to the criminal sentences. Restitution under 18 U.S.C. Section 3663A is mandatory in most ransomware cases and can include the victim incident response costs, lost revenue, and direct damages. Forfeiture under 18 U.S.C. Section 982 reaches the proceeds of the offense and substitute property. The combined financial consequences can extend for decades beyond the criminal sentence, with significant ongoing enforcement obligations that affect the defendant ability to rebuild after release.

Critical infrastructure protection and the CIRCIA reporting framework

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires covered critical infrastructure entities to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransom payments within 24 hours of payment. The CIRCIA reporting framework, while distinct from criminal prosecution, creates substantial documentation about ransomware incidents that becomes available to investigators and prosecutors through interagency coordination. Defense practice in ransomware cases must consider the CIRCIA reports as potential evidence and must coordinate any victim representation with the criminal defense to ensure consistent positions across the regulatory and criminal proceedings.

Frequently Asked Questions

Is operating a "booter" service illegal?
Yes. Operating services that enable DOS attacks against others is criminal. Recent prosecutions have targeted booter/stresser services explicitly.
Can ransomware victims be charged for paying ransoms?
Possibly, in certain circumstances. OFAC sanctions issues arise where the ransom recipient is sanctioned. Some payments may violate sanctions law independent of any CFAA exposure.
Are there international extradition issues?
Yes. Many ransomware operators are outside US jurisdiction. International coordination and extradition treaties affect prosecution success. Some operators in non-cooperative jurisdictions remain effectively unreachable.
Does §1030(a)(5) apply to vulnerability researchers?
Authorized vulnerability research (bug bounties, penetration testing under contract) is typically lawful. Unauthorized exploration that damages systems can trigger §1030(a)(5) regardless of intent.
Part of a larger guide

Read the full Texas Computer Crimes Defense Guide

This article is one section of our comprehensive Texas Computer Crimes Defense Guide. The pillar guide covers recent developments, official resources, and the complete framework with deeper analysis.

Read the Pillar Guide →
⚖️
Texas Bar
Licensed
Bar Nos. 24043266 · 24043514
🏆
40+
Years Combined
Criminal Defense Experience
📞
Free
Consultation
Direct to Attorney
🔓
24/7
Jail Release
Available 7 Days a Week

Practical Checklist

  • Document everything early. Communications, records, and witness contact information lose value as time passes. Preserve them at the start of the case.
  • Identify all parallel proceedings. Criminal, administrative, civil, and regulatory tracks often run in parallel. A statement in one becomes evidence in another. Map the full picture before any disclosure.
  • Calendar every deadline. Filing deadlines, response deadlines, discovery deadlines, and hearing dates all have consequences. Missing a deadline can foreclose defenses that the facts otherwise support.
  • Build the mitigation package early. Witness letters, treatment records, employment verification, and character references take time to gather. Counsel should begin building the package at the first consultation, not as the hearing approaches.
  • Coordinate counsel across forums. Where the matter implicates multiple proceedings, having coordinated counsel (whether one firm or multiple firms in close communication) avoids the strategic errors that inconsistent representation creates.
  • Understand the public-record dimension. Many dispositions create searchable records that follow the licensee, defendant, or respondent for years. The decision to contest versus resolve must account for the public visibility of each path.

For a confidential evaluation of your matter, call L&L Law Group at (972) 370-5060 or email info@landllawgroup.com. Initial consultations are free.

Next Steps

If you are facing a situation described here, consult counsel promptly. Many issues in this area run on strict deadlines.

Reggie London & Njeri London

Co-Founding Partners · L&L Law Group, PLLC

Reggie London (Tex. Bar #24043514) and Njeri London (Tex. Bar #24043266) co-founded L&L Law Group in Frisco, Texas.

This guide was reviewed by Reggie London on May 30, 2026.

Cite this guide

Bluebook: Reggie London & Njeri London, Data Damage and Ransomware, L&L Law Group (May 30, 2026), https://landllawgroup.com/insights/data-damage-ransomware/.

APA: London, R., & London, N. (2026, May 30). Data Damage and Ransomware. L&L Law Group.