On Sept. 15, 2016, the FBI released a public service announcement titled, "Ransomware Victims Urged to Report Infections...
to Federal Law Enforcement," which urges victims to report ransomware incidents.
The operative word is urges. Does that mean victims are required to report all ransomware attacks to the FBI? And if they do, what are the potential repercussions?
Cybersecurity professionals want to know when a company falls victim to ransomware or breaches. They can learn from that company's unfortunate experience, and gain a semblance of relief that it wasn't their company. A ransomware victim is often viewed as the canary in the coal mine, that motivates cybersecurity professionals to determine which remediation steps they should take to ensure they do not experience a similar attack.
However, cybersecurity professionals still have to deal with deadlines, insufficient budgets, resource constraints, management pressures and other exigencies. They play a cat-and-mouse game with risk.
Unfortunately, when it comes to data breaches and ransomware attacks, it is not if a breach happens, but when it happens. The cybersecurity professional's job is to mitigate -- which does not mean eliminate -- the harm a breach can do. Information security constructs, protection measures, reliable alert mechanisms and well-thought-out and tested incident response programs can help deal with these impending dangers.
Internal alerts or notifications from law enforcement agencies, the press or the inability to operate critical applications or infrastructures are all ways to find out about a possible breach.
Ransomware is the fastest growing malware threat today. It holds business-critical systems and data hostage unless the ransom is paid. Companies that fall victim to ransomware attacks then have to decide whether to pay the ransom or not. This decision is not easy.
Is it ethical for the organization under attack to pay? Even if it does pay the ransom, there is no guarantee the decryption keys will be delivered. If the organization does not pay, will that affect its viability, or possibly cause significant damage to the company's bottom line and reputation?
Reporting ransomware attacks
The ransomware alert from the FBI -- which advises against paying the ransom at all -- provides nine factors to include when reporting ransomware attacks:
- The date of infection.
- The ransomware variant, which is identified on the ransom page or by the encrypted file extension.
- Information about the victim company, including its industry type, business size and so on.
- Details about how the infection occurred, such as through a malicious link in an email or by browsing the internet.
- The requested ransom amount.
- The attacker's bitcoin wallet address, which may be listed on the ransom page.
- The amount of ransom the organization paid -- if any -- to the attacker.
- The overall losses associated with the ransomware infection (including the ransom amount).
- A victim impact statement.
These are all reasonable bits of information to disclose, but organizations that have suffered a ransomware attack may be reluctant to report them. This reluctance is often about providing the amount of the ransom, whether it was paid it or not, what the overall losses were and the impact it had on the business.
Admitting that your organization was the target of a ransomware attack can be embarrassing and marginalizing. Reporting ransomware attacks reflects negatively on the organization, and its customers and partners may question why it did not take sufficient measures to prevent such a breach, especially if the impact would have been significant if the ransom hadn't been paid.
If a company notifies the FBI about a successful ransomware attack against it, there's no guarantee that the information won't be leaked or made public in some other manner. There could be financial implications of such disclosures, especially if the company is publicly traded.
There are plenty of ransomware prevention measures available today. The FBI alert provides some of these measures. While there are risks in reporting ransomware attacks to the FBI or other law enforcement agencies, the real concern should be how the organization manages the incident.
When it comes to customers, perception is reality. This also applies to partners, management, peers and stakeholders. Ransomware attacks happen, but the important thing is to minimize the impact and demonstrate a timely recovery.
Organizations can't control what the press will report on the incident, or whether the breach details become public. They also can't control what the FBI does with the information provided to them. But organizations can control the impact of the breach and manage perception.
Organizations should deploy protection measures to mitigate the impact of a ransomware attack. They should train their employees on how to deal with breaches, test the incident response plan, periodically test their systems for effective controls, maintain current patches, continuously monitor, implement strong change controls and, more importantly, perform full, incremental and differential backups for timely recovery.
In addition, organizations should prepare communications for management, stakeholders, media and the public. Breach announcements, whether for ransomware or other attacks, are much more palatable if they also contain the information that the company quickly recovered, the impact was minimal because of effective protection measures and no ransom payment was required.
Learn more about the FBI ransomware alert and guidance
Find out if paying ransoms now will make ransomware attacks worse in the future
Check out the best way for HIPAA covered entities to response to ransomware attacks