How To Report a Ransomware Attack

Ransomware is a hot topic in IT circles today that solicits hypothetical questions such as, should you pay the ransom? It’s a question that creates interesting fodder, and one that’s answered a lot easier in theory versus reality. If your entire network is locked up in an encrypted state, the get-out-of-jail transaction of paying the required ransom for a decryption key will prove awfully tempting. It’s difficult to say what you should do until you face that situation in real life.

Should You Report a Ransomware Attack?

If you decide to not to pay the ransom, the next questions becomes whether you should you report it. If your organization is fortunate enough to have a cybersecurity insurance policy that includes ransomware attacks, you should immediately comb the details of your policy. Some insurance companies require that a ransomware incident be reported to be covered.

Then there is the issue of compliance. While some ransomware attacks don’t necessarily qualify as a “traditional breach,” a growing number of governments are now requiring that unauthorized access alone must be reported, even if data isn’t exfiltrated. For instance, the European Union’s General Data Protection Regulation (GPDR) requires that any “unplanned unavailability of data” must be reported.

In the same way that few criminals just rob one bank, a ransomware attack is usually one of many attacks launched by the same organization. In some cases, you could be the target of a coordinated attack launched against a targeted locality or industry.

Just as traditional police work must piece similar crimes together to find the perpetrators, large-scale law enforcement organizations often have specialists trained in this type of crime. The more data they can collect from multiple incidents, the better the chance of putting the perpetrators behind bars.

Who to Contact in the Event of a Ransomware Attack

If you choose to get law enforcement involved, your next course of action will be determined by where your organization resides.

• In the U.S., you have three options: the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) or the U.S. Secret Service. Contacting any one of these will get the incident reported to all three. The CISA provides an easy-to-use portal site to report a ransomware or similar cybersecurity incident. Government organizations may want to consider local law enforcement, too.
• Those in Canada are encouraged to contact their local police as well as the National Cybercrime and Fraud Reporting System or the Canadian Anti-fraud Center, which can be done using their online reporting system.
• In the UK, contact the National Cyber Security Center as well as the National Fraud and Cyber Crime Reporting Center.
• Organizations in South Africa are asked to report a ransomware attack to their local police, who will enter the case into the national crime administration system. You should then report your incident to the national Cyber Security Hub.
• Organizations operating within the European Union should contact local law enforcement to initiate an investigation concerning a ransomware attack.

Reporting Requirements

Different agencies have different information requirements for reporting a ransomware incident. For instance, the FBI will inquire about the date of the attack, how it was discovered, how you think it was implemented, the amount of the demanded ransom, and if any effort has been made to pay it. They will also inquire about the nature of your business, how the attack has affected your operations, and the resulting losses from the attack.

There are no easy answers to ransomware. Stopping these malicious attacks will take a collective effort between cybersecurity companies and law enforcement, but their efforts are contingent on research and investigation, which requires organizations to do their part and report these incidents.