Reporting Ransomware Attacks to the FBI: Pros and Cons
posted Jul 13, 2017 by Daniel M. Andrea, CPA, CITP, CISA in the Business Blog
Picture this....you fire up your computer and are immediately prompted with a pop-up that says, “Your computer has been locked due to a violation of the federal laws of the United States of America. To unlock your computer you are obliged to pay a fine of $200.”
We’ve all read or heard about ransomware attacks at this point. Seems like a no brainer to immediately report something like this, right? Well, not exactly. Reporting a ransomware attack to the FBI, while seemingly the obvious course of action, takes a lot of consideration from the impacted business because of what’s at stake if word gets out that it has been attacked. Below are some pros and cons of reporting ransomware attacks to the FBI.
Pros of reporting to the FBI
- Helps FBI gain a more comprehensive view of the current ransomware risk and its impact on U.S. citizens.
- Helps cybersecurity professionals learn from a company’s unfortunate experience, and take remediation steps to ensure they do not experience a similar attack.
Cons (why organizations hesitate to report)
- It’s embarrassing.
- It’s marginalizing.
- Reflects negatively on the organization which increases its Reputational Risk.
- Lack of knowledge on where to report the attack.
- Customers and partners may inquire why the organization did not take more precautions to prevent such a breach.
- There are no guarantees that information about the attack won’t be leaked or made public in some manner; if the company is publicly traded, there could be financial implications of such disclosures.
- Paying the ransom as an alternative to reporting to the FBI does not guarantee that the decryption keys will even be delivered back.
Precautions an organization should take to prevent an attack
While organizations can’t control what the press will report about an attack, they can control the impact of the breach. Organizations should implement protection measures to lessen the blow of the attack. Training employees, deploying incident response plans—all these things will help mitigate the impact of a breach.
If you choose to report, how do you do it?
The FBI says you should never pay the ransom, but rather urges that you report to them and disclose these 9 factors. You can send it to your local FBI, or through this site:
- The date of infection.
- The ransomware variant, which is identified on the ransom page or by the encrypted file extension.
- Information about your company (industry type, business size and so on).
- Details about how the system became infected (was a malicious link clicked? Did it occur through an email or web browser?).
- The requested ransom amount.
- The attacker’s Bitcoin wallet address which may be listed on his/her ransom page.
- Any amount of ransom the organization has already paid.
- Total losses incurred with the ransomware infection (includes ransom amount).
- A victim impact statement.
The bottom line is—while it is difficult to disclose this kind of attack, it might be the best option for your company if you are wary of paying the attacker, and especially if you don’t have the right protections in place. If you’re worried about the information affecting the public negatively, you can and should prepare communications for management, stakeholders, media and the public.
Want to learn more? Reach out to a member of our Information Security Services Team.