According to the Sophos “State of Ransomware 2023” report, the average ransomware payment in 2023 has increased to more than $1.5 million. This is nearly double what it was in 2022, which was $812,380. These findings indicate that ransomware attacks continue to be highly lucrative for attackers.
Given the prevalence of ransomware attacks, organizations must carefully consider how they will respond if they become a victim. This includes deciding whether to pay the ransom and whether to report the attack to the authorities. Gartner analyst Paul Furtado advises organizations to report ransomware attacks to law enforcement agencies. He emphasizes that many law enforcement groups have specialized resources that can provide valuable guidance in such situations. Reporting is especially important for small and medium-sized organizations that may not have dedicated security teams.
Furtado also highlights the importance of considering the larger picture when deciding whether to report an attack. Organizations may be targeted as part of a coordinated attack, and law enforcement needs to know the full extent of what is happening. By reporting, organizations can help law enforcement understand their role within a larger puzzle.
In some cases, organizations may be legally required to report ransomware attacks to the authorities. The Cyber Incident Reporting for Critical Infrastructure Act, signed into law in 2022, mandates that critical infrastructure organizations report cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransom payments within 24 hours. Additionally, the Federal Communications Commission and the Securities and Exchange Commission have proposed new rules that would require reporting of cyber attacks in the telecommunications and public sectors, respectively.
In terms of cyber insurance, some organizations may be required to notify a federal agency before receiving payments from their insurance providers, although not all policies have this requirement. However, the absence of a national ransomware attack notification law allows some organizations to quietly pay the ransom without public knowledge. This may be driven by concerns about damage to public perception or potential use of the attack by competitors in marketing. Nevertheless, organizations are required to notify individuals affected if personally identifiable information is involved.
Reporting ransomware attacks to law enforcement not only benefits the affected organization but also the broader community. Forrester Research analyst Allie Mellen notes that reporting helps track the number of ransomware attacks and enables law enforcement to release bulletins about specific threats. It is part of a larger “security as a community initiative.”
To report a ransomware attack, organizations are encouraged to notify the FBI and CISA. The FBI operates the Internet Crime Complaint Center (IC3), where victims can file a complaint. This reporting is crucial for tracking ransomware incidents within the U.S. and globally, as well as potentially supporting the prosecution of attackers. Organizations can also contact their local FBI field office and provide detailed information about the attack, such as the date, infection method, ransom amount demanded and paid (if any), and the ransomware variant.
Reporting to CISA involves providing information about the impact on agency functions or services, the type of information compromised, and the estimated time and resources needed for recovery. Additional details such as the detection time, number of systems and users affected, and network location of the attack should also be included. CISA evaluates the severity of the attack based on this information, using a scoring system that ranges from Baseline to Emergency.
However, reporting ransomware attacks is just the first step. Once an organization has reported an attack and recovered, it must focus on preventing future incidents. This includes implementing regular security monitoring, developing business continuity plans and ransomware incident response plans, and educating employees about the risks of social engineering and malicious software. Strong email protections, multifactor authentication, and role-based access control are also recommended for enterprise ransomware prevention.
In conclusion, the rising average ransomware payment underscores the need for organizations to carefully consider their response strategies. Reporting ransomware attacks to law enforcement agencies is crucial, not only for the affected organization but also for the larger community. Legal requirements and proposed regulations further emphasize the importance of reporting. However, reporting is just the beginning, and organizations must also prioritize ransomware prevention measures to safeguard their assets and mitigate future risks.