england-and-wales
The supply, possession and use of penetration testing software is perfectly legal.
However, any criminal liability will hinge on what the supplier knows about its intended use.
If one agrees to supply it knowing or believing that it is intended (or likely) to be used for an unlawful ransomware attack by someone else, they would (depending on the available evidence) commit an offence contrary to s.3A of the Computer Misuse Act 1990:
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA.
(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA.
(3) A person is guilty of an offence if he obtains any article—
(a) intending to use it to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA, or
(b) with a view to
its being supplied for use to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA.
(4) In this section “ article ” includes any program or data held in electronic form.
(5) A person guilty of an offence under this section shall be liable—
(a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
(b) on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
(c) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.
The person carrying out the ransomware attack would commit an offence contrary to s.3 of the 1990 Act:
(1) A person is guilty of an offence if—
(a) he does any unauthorised act in relation to a computer;
(b) at the time when he does the act he knows that it is unauthorised; and
(c) either subsection (2) or subsection (3) below applies.
(2)This subsection applies if the person intends by doing the act—
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data; or
(d) to enable any of the things mentioned in paragraphs (a) to (c) above to be done.
(3) This subsection applies if the person is reckless as to whether the act will do any of the things mentioned in paragraphs (a) to (d) to (c) of subsection (2) above.
(4)The intention referred to in subsection (2) above, or the recklessness referred to in subsection (3) above, need not relate to—
(a) any particular computer;
(b) any particular program or data; or
(c) a program or data of any particular kind.
(5) In this section—
(a) a reference to doing an act includes a reference to causing an act to be done;
(b) “act” includes a series of acts;
(c) a reference to impairing, preventing or hindering something includes a reference to doing so temporarily.
(6) A person guilty of an offence under this section shall be liable—
(a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
(b) on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
(c) on conviction on indictment, to imprisonment for a term not exceeding ten years or to a fine or to both.
Finally, both parties, again depending on the available evidence, would be guilty of:
Conspiracy to commit an offence under section 3 of the Computer Misuse Act 1990, contrary to section 1 of the Criminal Law Act 1977.
