Ransomware is a hot topic in IT circles today that solicits hypothetical questions such as, should you pay the ransom? It’s a question that creates interesting fodder, and one that’s answered a lot easier in theory versus reality. If your entire network is locked up in an encrypted state, the get-out-of-jail transaction of paying the required ransom for a decryption key will prove awfully tempting. It’s difficult to say what you should do until you face that situation in real life.
If you decide to not to pay the ransom, the next questions becomes whether you should you report it. If your organization is fortunate enough to have a cybersecurity insurance policy that includes ransomware attacks, you should immediately comb the details of your policy. Some insurance companies require that a ransomware incident be reported to be covered.
Then there is the issue of compliance. While some ransomware attacks don’t necessarily qualify as a “traditional breach,” a growing number of governments are now requiring that unauthorized access alone must be reported, even if data isn’t exfiltrated. For instance, the European Union’s General Data Protection Regulation (GPDR) requires that any “unplanned unavailability of data” must be reported.
In the same way that few criminals just rob one bank, a ransomware attack is usually one of many attacks launched by the same organization. In some cases, you could be the target of a coordinated attack launched against a targeted locality or industry.
Just as traditional police work must piece similar crimes together to find the perpetrators, large-scale law enforcement organizations often have specialists trained in this type of crime. The more data they can collect from multiple incidents, the better the chance of putting the perpetrators behind bars.
If you choose to get law enforcement involved, your next course of action will be determined by where your organization resides.
Different agencies have different information requirements for reporting a ransomware incident. For instance, the FBI will inquire about the date of the attack, how it was discovered, how you think it was implemented, the amount of the demanded ransom, and if any effort has been made to pay it. They will also inquire about the nature of your business, how the attack has affected your operations, and the resulting losses from the attack.
There are no easy answers to ransomware. Stopping these malicious attacks will take a collective effort between cybersecurity companies and law enforcement, but their efforts are contingent on research and investigation, which requires organizations to do their part and report these incidents.