Ransomware isn't going anywhere given how lucrative it continues to be for attackers. It accounted for 81% of financially motivated cyber attacks in 2020, per Atlas VPN.
The average company payment in the first quarter of 2020 was $178,254, according to Gartner. Note that this is just the ransom payment. It doesn't factor in business disruptions, downtime costs or brand damage. Ransom amounts demanded often vary based on the size of the company; larger companies may face higher ransoms. For example, attackers demanded a record $50 million from Taiwan-based Acer after hitting the company with REvil ransomware.
Once a company learns it has been targeted, it then has to decide whether to pay the ransom. Even more worrisome, some ransomware groups attempt to squeeze victims twice, once for a decryption key and again to delete their copy of the exfiltrated data.
Beyond deciding whether or not to pay the ransom, companies also face the dilemma of reporting the ransomware attack to the FBI or Cybersecurity and Infrastructure Security Agency (CISA), which often raises the question of whether ransomware constitutes a breach. After all, ransomware does not necessarily compromise the security, confidentiality or integrity of personal information; it just prevents the organization access to this information unless ransom is paid.
To pay or not to pay? To report or not to report? Or to do both? Those are the questions.
Should companies report ransomware to law enforcement agencies?
The answer is unquestionably yes, Gartner analyst Paul Furtado advised.
"A lot of law enforcement groups have specialized resources that provide guidance around this," he said. It is especially important for small and medium-sized organizations that don't have dedicated security groups, he added. Compromised organizations should also consider the larger picture. "You may also be the target of a coordinated attack, so law enforcement really needs to know what is happening because you can be just one piece of a bigger puzzle," he said.
In some instances, companies may legally have to notify a federal agency before it can receive payments from its cyber insurance provider, though not all policies require it.
While companies may willingly report ransomware attacks to law enforcement agencies, the same can't be said about publicly revealing it. Due to the absence of any national notification law, companies can quietly pay with no one being the wiser -- after all, their larger worry may be that the attack could hurt public perception or be used against them in competitors' marketing. Notifications may be changing, however. Some states, including New Jersey and Connecticut, have instituted notification laws based on access alone, and notably, healthcare companies must report if any personally identifiable information is accessed.
Reporting ransomware attacks to federal law enforcement helps more than just the company itself. Forrester analyst Allie Mellen said: "Reporting helps us track the number of ransomware attacks happening and helps law enforcement release bulletins about particular threats. I think of it as a 'security as a community initiative.'"
Should companies pay the ransom?
Whether to pay the ransom or not is a hot topic for debate. Many cybersecurity experts recommend not paying the ransom. But, in a practical sense, given the criticality of the asset, the enterprise may have to.
In his experience, Furtado said companies often report the incident and pay the ransom. One of his sources is an organization that acts as an intermediary between bad actors and their targets. "Their business continues to increase quarter over quarter," he said, proving that payments keep getting made.
The FBI, however, recommended against paying as it "does not guarantee an organization will regain access to its data." Paying also contributes to attackers' success, thus leading criminals to target other companies.
Further, the Department of the Treasury released an advisory in October 2020 that said companies could get into legal trouble. Being involved in ransomware payments -- whether you're the victim, a cyber insurance firm or financial institution -- the advisory said, could potentially violate Office of Foreign Assets Control regulations.
How to report ransomware attacks and to whom
Whether your company decides to pay the ransom or not, the FBI and CISA still want you to notify them of an attack. If your organization has become a victim, it should provide law enforcement agencies with the most complete reporting possible.
A complaint can be filed to the Internet Crime Complaint Center (IC3) here.
"It's really important to report to [IC3] because it helps them track ransomware incidents within the U.S. and globally, and it can be useful for them when it comes to potentially prosecuting attackers," Mellen explained.
Companies can also contact their local FBI field office. It will ask for the following information:
- date of ransomware attack;
- how the infection occurred;
- amount demanded;
- amount paid, if any;
- the ransomware variant;
- information about your company, such as industry, size, etc.;
- victim impact statement; and
- losses due to the ransomware attack.
Companies can also report ransomware to CISA. Like reporting to the FBI, CISA has specific ransomware reporting requirements:
- Identify the current level of impact on agency functions or services.
- Identify the type of information lost, compromised or corrupted.
- Estimate the scope of time and resources needed to recover from the incident.
- Identify when the activity was first detected.
- Identify the number of systems, records and users impacted.
- Identify the network location of the observed activity.
- Identify point of contact information for additional follow-up.
CISA requires all submissions include the above information and also requests companies provide the attack vector, indications of compromise and subsequent mitigation efforts, if known and applicable. The National Cybersecurity and Communications Integration Center determines a severity score of the attack based upon all provided information. The score provides CISA a way to objectively view risk in a national context of the ransomware attack, starting at a Baseline attack (not likely to affect public health) and going up to Emergency (a threat posed to infrastructure or people directly).
Reporting ransomware attacks is only the first step
Once a company has reported a ransomware attack and recovered, its focus needs to turn toward ransomware prevention. Mellen said a company's first steps should include performing security monitoring and having a business continuity plan and ransomware incident response plan in place, as well as a team ready to execute on those plans.
Once your company recovers from the attack, tips for enterprise ransomware prevention include having strong email protections and controls, implementing multifactor authentication and using role-based access control. Another important aspect is ensuring a strong security awareness program is in place to educate employees about how bad actors attempt to get their malicious software onto the corporate network, especially via social engineering.