Ransomware attacks are notoriously underreported and cyber authorities acknowledge this incomplete data on ransomware activity creates a blind spot that hampers recovery, response efforts and the prevention of future attacks.
U.S. officials and cybersecurity experts say greater transparency is needed to combat ransomware.
“It’s critically important that entities report every cyber intrusion, including ransomware attacks, to the Cybersecurity and Infrastructure Security Agency or the FBI as quickly as possible,” Eric Goldstein, the CISA’s executive assistant director for cybersecurity, said via email.
Some organizations, particularly during the heightened period of stress following a ransomware attack, may not know who to turn to or where to report the criminal activity.
There are four federal channels to report an attack:
Organizations should report to CISA or the FBI first — both agencies lead federal ransomware reporting and response.
The Internet Crime Complaint Center, or IC3, is the FBI’s central hub for reporting cybercrime. While IC3 cannot respond directly to every complaint, organizations can help the FBI track trends and threats by reporting cybercrime here as well.
Who should report
Authorities encourage every business and organization to report a ransomware attack as quickly as possible.
All critical infrastructure providers, following legislation passed by Congress last year and pending a final file due from CISA before April 2024, will be required to disclose a major cyberattack to CISA within 72 hours and notify the agency of a ransom payment within 24 hours.
Organizations in some sectors fall under rules requiring them to report cyberattacks to their respective regulatory agency. Regulators are also pursuing more strict reporting requirements in other industries.
The Federal Communications Commission earlier this year unanimously voted to change how and when telecommunications network operators disclose data breaches. Until those changes are adopted, the current rules which are more than 15-years-old require organizations to notify the U.S. Secret Service and FBI of breaches within seven days.
The Securities and Exchange Commission proposed rules in March that would require broker-dealers, clearing agencies and other financial services providers to more quickly disclose cybersecurity incidents to the SEC.
Why you should report
Organizations that aren’t legally obligated to disclose ransomware attacks have their reasons for keeping ransomware attacks under wraps.
Despite an industrywide push to stop blaming and shaming organizations that are hit by a ransomware attack, the reputational and financial damage that often follows victims in the wake of an attack prevents many private organizations from coming forward.
U.S. officials have estimated private organizations only report 25% to 30% of cyberattacks to government agencies. This low rate of reporting prevents agencies, including CISA, from accurately measuring ransomware activity.
Cyber authorities can provide reporting organizations with resources, including potential decryption keys, information on the adversary’s tactics and incident response support.
“Reporting an incident also allows CISA to share information that can protect other organizations, limiting the ability of malicious actors to use the same techniques to execute multiple intrusions,” Goldstein said.
“We recognize that many organizations may be reluctant to report incidents, but it’s vital that we shift to a culture where reporting becomes the norm and we provide victims with the support they need to respond and recover,” he said.
Despite some recent reports indicating a decline in the number of ransomware attacks during 2022, a continued trend of under-reporting suggests the opposite, according to the latest research from BlackFog, a data security firm.
“We actually see an increase in the overall number when we account for those that have yet to be reported,” BlackFog CEO and Founder Darren Williams said via email.
“Delayed reporting has become very common as organizations attempt to stay out of the headlines and shed the cyberattack stigma,” Williams said.
The rationale for failing to report ransomware attacks has staying power across multiple industries and organization types.
“Most business leaders would immediately call the police if their headquarters was ransacked,” Williams said. “Yet when their digital assets are stolen by cybercriminals, they hesitate.”
