System Interference and Ransomware: The Criminality of Holding Corporate Databases Hostage (Philippines)
Introduction: why ransomware against corporate databases is treated as a serious crime
Ransomware attacks commonly work by introducing malware into a company’s network, encrypting or disabling access to files and servers, and then demanding payment to restore operations. In the Philippines, this conduct is not treated as a mere “IT problem.” It can constitute multiple cybercrime offenses under R.A. No. 10175 (Cybercrime Prevention Act of 2012), with penalties that can be severe—especially when the target involves systems essential to business operations.
This article focuses on how Philippine cybercrime law addresses organized groups that deploy malware to paralyze corporate digital operations and hold databases hostage.
Governing laws and rules
R.A. No. 10175 (Cybercrime Prevention Act of 2012) is the primary statute for ransomware-style attacks that disable or hinder computer systems and data. The law defines punishable acts such as system interference and data interference, and provides the penalty rules for cybercrime offenses.
For court processes involving cybercrime investigations (including preservation, disclosure, search and seizure, and examination of computer data), the controlling court-issued procedures are the Rules on Cybercrime Warrants, A.M. No. 17-11-3-SC (2018).
While R.A. No. 8792 (Electronic Commerce Act) penalizes hacking or cracking, ransomware cases are typically handled under R.A. No. 10175 given its more specific cybercrime definitions and penalty structure for cyber-enabled attacks.
Core cybercrime charges used against ransomware syndicates
1) System Interference (R.A. No. 10175, Section 4(a)(4))
System interference covers the intentional alteration—or reckless hindering or interference—of the functioning of a computer or network by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data or programs, without right, including the introduction or transmission of viruses.
In ransomware incidents, system interference is often the most direct charge where malware prevents access to servers, applications, or corporate systems (e.g., ERP, HRIS, billing, or production control systems), resulting in business paralysis.
2) Data Interference (R.A. No. 10175, Section 4(a)(3))
Data interference punishes the intentional or reckless alteration, damaging, deletion, or deterioration of computer data, electronic documents, or electronic data messages, without right, including the introduction or transmission of viruses.
Many ransomware attacks do more than “lock” systems—they may alter file states, delete backups, corrupt recovery points, or exfiltrate and manipulate data. These actions can support a separate or accompanying charge for data interference.
In Disini, Jr., et al. v. The Secretary of Justice, et al., G.R. No. 203335, February 18, 2014, the Supreme Court explained that penalizing data interference is akin to punishing a form of “vandalism” against another’s computer data and does not infringe protected speech—there is no constitutional freedom to destroy other people’s computer data.
3) Illegal Access (R.A. No. 10175, Section 4(a)(1))
Illegal access punishes access to the whole or any part of a computer system without right. This charge frequently applies when attackers penetrate a corporate network using stolen credentials, phishing, brute-force methods, or exploiting vulnerabilities.
Even if the “end goal” is ransom, prosecutors often include illegal access to account for the initial unauthorized entry point into the environment.
4) Misuse of Devices (R.A. No. 10175, Section 4(a)(5))
Misuse of devices addresses the production, sale, procurement, importation, distribution, or making available—without right—of devices or computer programs designed primarily for committing cybercrime offenses, and possession of such items with intent to use them for cybercrime.
This can be relevant where organized groups maintain ransomware kits, payload builders, credential dumpers, exploit tools, or command-and-control components, especially when linked to intent to commit system or data interference.
Penalty structure: why ransomware cases can carry heavy exposure
Under R.A. No. 10175, Section 8, cybercrime offenses under Section 4(a) and 4(b) are generally punishable by prision mayor or a fine (or both), subject to the statute’s specific terms. Where acts under Section 4(a) are committed against critical infrastructure, the penalty is higher (reclusion temporal or a fine, or both), again subject to the statute’s terms.
In Disini, Jr., et al. v. The Secretary of Justice, et al., G.R. No. 203335, February 18, 2014, the Supreme Court emphasized that setting penalties for cybercrime is primarily a legislative prerogative and courts generally apply the penalty range as written.
How ransomware incidents commonly map to charges (illustrative scenarios)
Below are typical fact patterns and the cybercrime charges they tend to support under Philippine law:
| Typical ransomware conduct | Likely R.A. No. 10175 charge(s) | Why it fits |
|---|---|---|
| Attackers infiltrate the network via stolen credentials or phishing and enter internal systems | Illegal Access (Sec. 4(a)(1)) | Unauthorized entry into any part of a computer system “without right” |
| Malware encrypts files and disrupts server or network operations, stopping business functions | System Interference (Sec. 4(a)(4)) | Hinders or interferes with system functioning through transmitted malicious code |
| Backups are deleted; recovery points are corrupted; files are damaged | Data Interference (Sec. 4(a)(3)) | Alters/damages/deletes/deteriorates computer data without right |
| Syndicate maintains ransomware builders, exploit tools, or malware distribution packages | Misuse of Devices (Sec. 4(a)(5)) | Possession or making available of tools designed primarily for cybercrime, with intent |
Procedural considerations: investigation and warrants for computer data
Ransomware investigations typically require rapid steps to preserve logs, image drives, identify malware artifacts, and trace command-and-control infrastructure. In the Philippines, applications for cybercrime-related court processes (e.g., preservation, disclosure, search and seizure, and examination of computer data) are governed by the Rules on Cybercrime Warrants, A.M. No. 17-11-3-SC (2018).
From a defense and compliance standpoint, it matters that evidence collection in cybercrime must follow judicially supervised procedures because corporate servers, employee devices, and cloud instances can raise privacy, due process, and chain-of-custody issues.
Common misconceptions relevant to charging decisions
“It’s only data, so it’s theft.” Philippine criminal law traditionally treats theft as involving tangible personal property. In Laurel v. Abrogar, et al., G.R. No. 155076, January 13, 2006, the Supreme Court held that intangible properties (such as certain services) are not proper subjects of theft under Article 308 of the Revised Penal Code, absent a statute expressly covering them. Ransomware prosecutions therefore usually rely on R.A. No. 10175’s cybercrime offenses (system/data interference, illegal access), rather than trying to force-fit the conduct into traditional theft concepts.
Risk management and compliance takeaways for companies (before and after an attack)
Ransomware cases move quickly. Companies can reduce legal and operational exposure through preparedness and disciplined response.
- Preserve evidence early: retain logs, endpoint alerts, firewall records, and backup status; document timelines and actions taken.
- Control access: enforce MFA, least-privilege, and rapid credential resets during containment to reduce arguments of “authorized access.”
- Separate backups: maintain offline or immutable backups to reduce the impact of data interference (e.g., deletion of backups).
- Coordinate legal + technical response: ensure forensic acquisition and any needed court processes align with the Rules on Cybercrime Warrants.
- Incident reporting decisions: consider when to involve law enforcement and how to support prosecution (or prepare for defense if personnel are implicated).
Conclusion: ransomware is commonly prosecuted as system and data interference under R.A. No. 10175
Under Philippine law, ransomware attacks that paralyze corporate operations commonly fall under system interference and data interference in R.A. No. 10175, often accompanied by illegal access and, where supported by evidence, misuse of devices. For investigation and evidence handling, the Rules on Cybercrime Warrants, A.M. No. 17-11-3-SC (2018) guide court-authorized processes involving computer data.
For companies, the immediate legal priority after an attack is to preserve evidence, maintain a defensible incident record, and coordinate forensic steps with counsel so the case can be pursued (or defended) without avoidable procedural weaknesses.
About Nicolas and De Vega Law Offices
Nicolas and de Vega Law Offices is a full-service law firm in the Philippines. You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines. You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.

