DISCLAIMER: The information provided on our site does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general educational and research purposes only. Readers should contact their attorney for any legal questions if you were a victim of ransomware or a cyber-attack.
You’ve come to this page because you’ve been hit by a ransomware attack and want to know what’s involved in reporting ransomware to the appropriate authorities. In addition to navigating the immediate response to the incident and exploring recovery options, you may be wondering: should I report a ransomware attack to law enforcement?
This article will outline the benefits of reporting a ransomware attack to law enforcement. We will break down how reporting cyber crime aids cyber crime investigations to prevent future attacks.
As a ransomware recovery service provider, we’ve seen firsthand how devastating ransomware attacks can be for businesses. We have helped over 3,000 clients get back up and running after a ransomware attack. We are committed to finding the right ransomware recovery and prevention solution for you.
The FBI strongly encourages all ransomware victims to report an attack; we agree with that stance.
However, the unfortunate reality is that many ransomware attacks go unreported, making it difficult for law enforcement to track the attacks and prosecute the cyber criminals who perpetrate them.
The first step to combating the growing ransomware crisis is to spread awareness about the threat.
Together with Fmr. FBI Special Agent Patrick Gray of the Computer Crimes Squad, we created Operation Cyber Aware, a documentary encouraging people to #GetCyberSerious and protect themselves from ransomware before it’s too late.
Another way to help improve the security landscape overall for the future is through reporting ransomware to law enforcement. The FBI releases flash bulletins with information they collect on how specific ransomware is being distributed. This helps you and other businesses understand what needs to be implemented to secure your network after a ransomware attack and can prevent future attacks from crippling your business.
The threat of ransomware is not just a passing fad and law enforcement needs your help. Ransomware is continually evolving to capitalize on any and every security vulnerability in your organization.
Reporting your ransomware incident to authorities for tracking and investigation can help other potential victims or even yourself. If authorities are able to find the perpetrator of the ransomware attack, they can seize the servers and release the decryption keys to the public for free.
If you are contemplating contacting authorities about your ransomware incident but not sure if you should or who to contact, keep reading to understand why you should report ransomware, who you should report it to and what it means for your business.
By the end of this article, you will:
How do ransomware attacks work?
Ransomware is a type of malicious software designed to encrypt your files, blocking access to critical data until the ransom is paid or alternative ransomware recovery methods are discovered.
Below, we have outlined why reporting a ransomware attack to law enforcement should be a part of your incident response plan.
Should I report a ransomware attack?
The short answer is yes. However, we recognize that the decision to report a ransomware attack to law enforcement can feel too complex to be covered by a simple yes or no answer.
To address your concerns about filing a report, we’ve answered the common questions our clients ask when considering reporting a ransomware attack below:
Question 1: Am I required to report a ransomware attack?
Ransomware victims are often unsure if they are legally required to report a ransomware attack. Since most ransomware attacks block user access to data, it is debated whether a ransomware attack is considered a data breach and subject to the appropriate reporting standards for a breach.
Many local, state and federal legislation include privacy acts and data protection laws to ensure consumers are notified if a data breach has potentially affected confidential data such as Personally Identifiable Information (PII) or information protected under the Health Insurance Portability and Accountability Act (HIPAA). According to the U.S. Department of Health and Human Services (HHS), you are required to report a ransomware incident if you can’t establish a low probability that data was accessed during the attack. So how do you establish this low probability?
A digital forensics investigation can help you determine if any data was accessed or compromised during a ransomware attack. The information provided by a digital forensics report will outline crucial details about the activity of the ransomware attacker while they were on your network. This includes folders, files, and user accounts they may have accessed.
Additionally, a digital forensics report can identify forensic information to assist law enforcement in identifying the patterns surrounding the ransomware attack and aid investigations on the cyber criminals who perpetrate them. This includes IP addresses, tools used, or attack methods.
A recent indictment of Uber’s Chief Security Officer, Joseph Sullivan, underscores the importance of reporting all cyber crime to law enforcement. In Uber’s case, the Federal Trade Commission (FTC) was not notified of the breach and Sullivan is being charged with obstruction of justice for his alleged concealment of a felony and failure to report it to law enforcement.
Not all ransomware attacks are considered data breaches, but if any data was in fact infiltrated from the network as determined by a digital forensic investigation it is considered a breach and requires appropriate reporting. When information determining a breach is not available or a digital forensic investigation is not conducted, always assume that there was a data breach and treat it as such.
Regardless of the scope of the ransomware attack your organization experienced or the methods you pursue to recover your data, seeking legal advice and reporting a ransomware attack to authorities is always strongly encouraged.
Question 2: Will reporting a ransomware attack harm my organization's reputation?
Whether your organization chooses to work with a ransomware recovery service or attempts to internally restore ransomed data, how will reporting a ransomware attack affect your organization’s reputation?
The bottom line is ransomware negatively affects your business’s functionality and financial picture, but how will your customers react? Unfortunately, any security incident can cause customers to lose trust in your organization. You may be concerned about the embarrassment of exposing the security vulnerabilities on your network that allowed a ransomware attack to occur.
Acknowledging your ransomware incident and taking ownership is the first step on your road to recovery. Your clients will appreciate your transparency. They will also want to know if their data was accessed and what you are doing to proactively mitigate the chances of another occurrence.
The FBI does not publicize the information you report about your ransomware attack. Information about ransomware attacks usually leak through internal document leaks or employees reaching out to the media. This underscores the importance of an incident response plan where you can proactively outline how your organization will respond to an attack.
Despite the widespread threat of ransomware, there is still an unfortunate stigma attached to being attacked by ransomware.
One of the most effective ways to increase the likelihood of ransomware reporting, investigating and successful prosecution of the perpetrators by law enforcement is to remove this stigma and empower ransomware victims to speak up.
Proactively implementing a cyber security program can help you avoid the unfortunate situation of being a ransomware victim, but failing to have the proper cyber protection program in place should not deter you from contacting authorities about your ransomware attack.
In today’s rapidly evolving cyber crime landscape, being a victim of a ransomware attack is unfortunately not unusual. With recent high profile ransomware attacks on Garmin and Canon, business leaders and consumers are becoming increasingly aware of the likelihood and implications of ransomware and the challenges of recovery.
Working with a ransomware recovery service can ensure you are following the ransomware sanction compliance standards required by your respective government when dealing with a ransomware attack.
The most effective way to restore trust during a security crisis is by being transparent and displaying your commitment to your customers’ security by following the legal protocols of dealing with ransomware.
Reasons to Report Ransomware
Now you understand that you should report ransomware to law enforcement and what reporting means for your business, but what are the benefits to reporting a ransomware attack?
Below, we’ve outlined the main reasons why reporting ransomware is beneficial to your business, authorities and the general public.
How reporting helps law enforcement catch cyber criminals
Bringing cyber criminals to justice happens with your help. Many law enforcement agencies are becoming more equipped with resources specifically dedicated to cyber crime. Still, they need victims of ransomware attacks and other cyber crimes to do their part by reporting attacks.
Cyber crime departments like the FBI’s Internet Crime Complaint Center (IC3) are designed to collect information on cyber crimes through victim’s reports to aid law enforcement analysis, investigation, and prosecution of cyber criminal activity.
Law enforcement’s exclusive access to legal authorities and tools enables them to partner with local and international law enforcement agencies to locate and apprehend the perpetrators of ransomware attacks more accurately and prevent future attacks.
If you have completed a forensic investigation, this information can be critical to aiding in the investigations since IP addresses and other forensic data is collected.
The information included in your ransomware report could be the missing piece to the larger ransomware investigation puzzle. By reporting a ransomware attack, you can help provide crucial clues to agencies like the FBI’s Global Operations and Targeting Unit that works with the public to investigate and prosecute cyber criminals attacks across the globe.
How reporting a ransomware attack helps your business
While reporting a ransomware attack can eventually lead to the indictment and prosecution of cyber criminals across the world, you may be wondering, how can reporting a ransomware attack help my organization today?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) publishes alerts and bulletins through the National Cyber Awareness System that specifically shows how ransomware and other malware variants work.
By reporting a ransomware attack, you contribute to the data used to create advisories and alerts that provide your organization and others with critical information on security issues, vulnerabilities, and active cyber crimes. The data in these publicly available alerts are compiled through reports submitted by ransomware victims.
It’s even possible a government agency might have a decrypter that can decrypt your files without having to contact the threat actor. You’ll never know unless you reach out and report the incident!
Unfortunately, due to the volume of reports filed and the limited government resources available, reporting a ransomware attack does not typically lead to answers for your organization’s specific incident.
However, law enforcement can provide advice to remediate the damage that occurred to your network and connect you with the ransomware recovery resources that may be able to help you with the recovery process.
According to a ransomware sanction advisory issued by the U.S. Department of Homeland Security Office of Foreign Assets Control (OFAC), an organization’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”
If you have explored all other ransomware recovery options and are considering paying the ransom, it is important you follow an up to date sanction compliance program to avoid paying a ransom demand to a sanctioned entity.
How do I report ransomware & who do I report ransomware to?
Now that you understand the benefits of reporting a ransomware attack, let’s talk about how to file a report.
Many people are hesitant to report a ransomware attack simply because they do not know how to report the attack to or how the reporting process works. We will help you simplify this process.
To guide you through the process of how to report a ransomware attack, we’ve created a page that provides links to law enforcement agencies across the globe and detailed instructions on how to report ransomware.
One of the first steps is to gather any forensic data pertaining to the ransomware incident (i.e. digital currency wallet, threat actor email addresses, IP addresses, and triage information). An image of your server is the best possible piece of evidence you can provide as it will preserve the digital evidence. A cyber forensic expert can help you with this.
Start the ransomware recovery process today!
Tracking and reporting malicious cyber activity provides law enforcement agencies with the information they need to bring cyber criminals to justice.
Regardless of the size of your organization, ransom amount requested, extent of the damage or the chosen method of ransomware recovery, you should always report a ransomware attack to law enforcement.
If you need someone to walk you through every aspect of the ransomware reporting and recovery process, we’re here to help.
At Proven Data, our experience in investigating, remediating and preventing ransomware attacks help our clients navigate data crises every day. Our ransomware recovery experts follow the most current compliance standards and utilize threat intelligence from previous cases to provide you with the ransomware recovery results you need.
Need ransomware recovery?
There are three common ways ransomware attacks happen:
- Open RDP ports: Remote Desktop Protocol (RDP) is an access portal that allows a user or administrator to connect to your computer from another location.
- Phishing emails: emails containing malware or malicious links that install a ransomware program on the computer when clicked
- Exploit kits: advanced malware tool that allows cyber criminals to target victims through security gaps in well-known software and hardware from popular technology manufacturers
There are four common methods to recover files from a ransomware attack:
- Recover files with a backup: Find out if any data backup is in place to recover files from off-site or offline backup, Window Shadow Copies and on-site backups
- Recreate the data: Utilize any available paper copies, email exchanges and attachments and database mining practices to recreate the encrypted data
- Break the ransomware encryption: Unfortunately, many ransomware encryptions are unbreakable, but you should always contact a ransomware recovery service to determine if there is a decrypter available for your particular variant.
- Pay the ransom to decrypt ransomware files: If the encryption is too strong, sometimes the only way to obtain the decryption key for your files is to pay the ransom.
In the United States, it is legal to engage with ransomware operators and pay ransomware with cryptocurrency. The FBI does not encourage paying ransom, however, they do acknowledge paying the ransom as a last resort option to be considered. Our guide in the pros and cons of paying ransomware highlights the various outcomes of these situations.
Pros of paying the ransom:
- Recover Encrypted Files
- Quicker Recovery
- Save Money
Cons of paying the ransom:
- Bad Working Decrypter
- Further Attacks May Occur
- The Ethical Dilemma of Funding Cyber Crime Economy
Following a ransomware attack, it is important you take the necessary steps to secure your network and avoid being victimized again. The National Institute of Standards and Technology (NIST) recommends using 4-step process of continuous incident response activities including:
- Detection and Analysis
- Containment, Eradication and Recovery
- Post-Incident Activity