FBI Asks Ransomware Victims to Report Attacks

September 26, 2016
News & Insights

The FBI urged victims of ransomware attacks to report them to the agency in a public service announcement released September 15.

New ransomware variants are constantly emerging and ransomware has become the top cyberthreat of 2016, the agency said. Although ransomware has grabbed the headlines, that hasn’t translated into data the FBI can act on. Many ransomware infections are not reported, hampering the agency’s ability to gather statistics on the actual number of victims, the full impact of ransomware, types of current ransomware, and other data. Some victims may opt not to notify the FBI because they simply aren’t sure who to contact or don’t believe the situation is serious enough to warrant action from a federal agency. Others may be concerned that bringing in the FBI could impact their business reputation or may have concerns about privacy regulations such as HIPAA. Organizations or individuals who either restore data from their own backups or pay the ransom to regain access to files may believe the incident is settled and does not require further action.

Reporting ransomware attacks, regardless of the outcome, will help the FBI in ongoing and future cybercrime investigations, track and predict organizations likely to be targeted, and justify directing resources toward ransomware investigations, the agency said.

Victims of ransomware attacks can contact their local FBI office and file a report with the Internet Crime Complaint Center. The report should include:

  • Amount of ransom asked for
  • Date of infection
  • Hacker’s bitcoin wallet address (may be listed on the ransom page)
  • How the infection occurred (e.g., link in email, browsing the internet)
  • Ransom paid (if any)
  • Ransomware variant (identified on the ransom page or by the encrypted file extension)

The FBI discourages organizations and individuals from paying the ransom and warns that there is no guarantee access to the files will be restored.

The Office for Civil Rights (OCR) published ransomware guidance for covered entities (CE) and business associates (BA) in July. As ransomware attacks against healthcare organizations escalated this year, many CEs and BAs debated whether a ransomware attack was itself a HIPAA breach or reportable incident. OCR’s guidance made it clear that ransomware attacks are reportable security incidents and that CEs and BAs must conduct thorough investigations to determine if protected health information was breached. OCR also strongly advised against paying a ransom to regain access to files.

Related Topics: 
Compliance, HIM/HIPAA