Responding to ransomware is complicated. With the continuing increase of successful cyber attacks against small businesses, we hear a lot of debate on two aspects of your response to a successful ransomware attack.
- Should you contact law enforcement?
- Should you pay the ransom?
Both of these questions have pros and cons. How and when you answer these questions can have a long-lasting impact on you and your business.
Involving Law Enforcement
The debate about if and when to contact law enforcement often centers around what happens after law enforcement gets involved. Typically, you would contact your local police department which, in turn, would contact the cyber crimes unit of your state police (if your state has one) and/or the FBI. You can also report a ransomware attack directly to the FBI or the Cybersecurity and Infrastructure Security Agency (CISA).
The biggest risks to involving law enforcement are the effects of a criminal investigation. You may not be able to repair and rebuild your systems until a forensic investigation is complete. In some cases, your computers may be considered evidence as part of a criminal investigation. By delaying your access to your computers, these actions can disrupt your ability to recover those systems.
The biggest advantages to involving law enforcement is the assistance the cyber security agencies can provide during the investigation and recovery. The FBI Cyber Division, CISA, and the National Cyber Investigative Joint Task Force can help identify the specific attack. For known variants, they often have valid decryption keys. If involved quickly enough, the FBI and other agencies have a history of recovering at least some ransoms and thefts (e.g. the Colonial Pipeline incident).
If you have cyber insurance, you may not have a choice about reporting the attack to law enforcement. Your carrier may require you to involve law enforcement as a condition for processing your claim. Your insurer may also mandate a forensic analysis to fully understand the scope of the attack and the necessary steps to recovery.
Paying the Ransom
Responding to ransomware, you want to move quickly and correctly. Wiping and rebuilding systems, restoring your data from backups, and recreating missing or damaged data takes time and money. Decrypting the data can be faster and easier. Paying the ransom is tempting. Your insurance carrier may also pressure you to pay the ransom to lower the cost of the claim.
Before you pay a ransom, consider the following:
- As noted above, law enforcement may already have decryption key;
- It is a funding mechanism for hackers to carry out future and repeated attacks;
- Paying a ransom does not guarantee you will receive a decryption key;
- Even with the decryption key, you may not be able to recover all of your data;
- Attackers will often demand additional payments to prevent the release of stolen information; and
- Paying the ransom is likely to be a federal crime as it may be funding hostile nations, terrorism, human tracking, or child exploitation.
To the latter point, paying ransom to an organization or government on a sanctions list, including those tied to terrorist activities, violates US law (18 USC 2339A, 2339B, 2339C). In October of 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued a warning that “Ransomware Payments with a Sanctions Nexus Threaten U.S. National Security Interests” and could result in civil and criminal actions.
When responding to ransomware, you will need to work with your cyber insurance carrier. Contacting law enforcement early is more likely to help your recovery than hinder it.
- Additional expertise
- Simultaneous investigation/forensics with your insurer
- The possibility of known decryption keys for your ransomware variant
- The ability to cover lost or stolen funds
- The potential identification of the source of the attack
These benefits can mitigate the damage and help speed recovery.
Paying the ransom should always be a last resort. To avoid violating US law and facing the risk of criminal charges or civil sanctions, paying a ransom should not be done without consulting law enforcement.