Sophos discusses whether it’s worth reporting ransomware.
Victims of ransomware have a lot to cope with. After they’ve recovered from the shock of losing access to files, there’s the small matter of whether to pay the ransom to get them back.
Regardless of the outcome, victims are left worried about how best to clean their computer to avoid being hit by a follow-up attack.
In most cases reporting any of this probably doesn’t figure high on the to-do list: which organization should they contact and, frankly, would it make any difference anyway?
This lack of confidence is probably justified in many countries, with victims of cybercrimes often simply advised to go to a local police station and hope a staff member will be in a good enough mood to talk to them.
Ransomware reporting is, in a way, a microcosm of the larger issue of how best to tackle cyberattacks.
Reporting burglary, car theft or mugging, would be a no-brainer. But online fraud or ransomware extortion? If it happens on a computer, there’s a tendency for people to see it as either the victim’s problem or for the bank or service provider to sort out.
Faced with soaring online crime, police forces and government have realized that to have any chance of containing online crime means treating in in the same way as any other type of law breaking. Intelligence is needed to warn the public of attacks and evidence gathered for possible future prosecutions.
The catch is that amassing better intelligence will be about getting the public to overcome years of conditioning and start telling law enforcement what has happened to them. These investigations are essential. Without real-time reporting, knowing what the criminals are up to and gathering evidence quickly enough to catch perpetrators, becomes impossible.
The good news is that in the US, UK and a few parts of Europe reporting ransomware and extortion is getting easier.
Only weeks ago, the FBI put out its first ever note encouraging ransomware victims to report attacks in some detail through the Agency’s Crime Complaint Center (IC3).
A few months earlier, Europol, the Dutch police and a clutch of cybersecurity firms got in on the act by launching a portal, No More Ransom, which is meant to act as a single point of contact and advice for confused ransomware victims unsure about whether to tell anyone.
The UK, which likes to think of itself as ahead of the game, launched an online cybercrime reporting system in 2009 in the form of Action Fraud. Ransomware and phishing attacks can now be notified through an online tool for victims who end out of pocket.
The UK’s Office of National Statistics (ONS) even grasped the nettle this year and added cybercrime as a separate heading in its 2015-2016 crime statistics for England and Wales, a further sign of changing attitudes.
Worthy though these reporting systems are, awareness of their existence – and importance – among the public remains weak.
To pick one example, the FBI’s 2015 Internet Crime Report (which uses numbers drawn from the IC3 reporting service) recorded only 2,453 ransomware complaints for the year – likely a huge underestimate of the true scale of the problem.
Until public reporting improves, tackling ransomware in a centralized, top-down manner could prove incredibly difficult, leaving more accurate estimates of campaigns in the lap of cybersecurity firms whose specialism is measuring the effect of attacks on computers rather than human victims.