Investigating and documenting a ransomware incident: Steps and reasons

In a bid to combat the growing threat of ransomware attacks, various authorities are encouraging affected organizations and individuals to report such incidents as soon as they are detected.

The Securities and Exchange Commission (SEC) in the United States proposed rules in March that would require broker-dealers, clearing agencies, and other financial services providers to disclose cybersecurity incidents to the SEC more quickly. This move is part of a wider effort to improve transparency and response to cyber threats.

However, delayed reporting has become common as organizations attempt to stay out of the headlines and shed the cyberattack stigma. This reluctance to report is not limited to the financial sector. According to the latest research from BlackFog, many ransomware attacks are not being reported, leading to an underestimation of ransomware activity.

This underreporting is a concern for authorities, who rely on timely and accurate information to build a comprehensive picture of the current ransomware situation. Prompt notification helps enable effective response and prevention.

In Germany, cybersecurity authorities such as the Federal Office for Information Security (BSI) encourage affected organizations to report ransomware attacks to law enforcement agencies like the Federal Criminal Police Office (Bundeskriminalamt) as soon as the activity is detected. These agencies, along with the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S., can provide reporting organizations with resources such as potential decryption keys, information on the adversary's tactics, and incident response support.

In the U.S., all critical infrastructure providers are required to disclose a major cyberattack to CISA within 72 hours and notify the agency of a ransom payment within 24 hours, following legislation passed last year. Eric Goldstein, the CISA's executive assistant director for cybersecurity, encourages entities to report every cyber intrusion, including ransomware attacks, to CISA or the FBI as quickly as possible.

Organizations in some sectors are required to report cyberattacks to their respective regulatory agency. However, the rationale for failing to report ransomware attacks has staying power across multiple industries and organization types. Many business leaders hesitate to report ransomware attacks, despite the fact that they would call the police if their physical headquarters were ransacked.

Greater transparency is needed to combat ransomware. Organizations should report to CISA or the FBI first, as these agencies are central to tracking trends and threats. The Internet Crime Complaint Center (IC3), which is the FBI's central hub for reporting cybercrime, is another important channel for reporting ransomware attacks.

Organizations may be reluctant to report incidents, but it's vital that a culture where reporting becomes the norm is established to support victims in responding and recovering from ransomware attacks. A continued trend of under-reporting suggests an increase in the overall number of ransomware attacks. Darren Williams, CEO and Founder of BlackFog, states that when accounting for unreported attacks, there is an increase in the overall number of ransomware attacks.

Cyber authorities acknowledge incomplete data on ransomware activity creates a blind spot. By reporting ransomware attacks, organizations can help authorities fill this gap and protect other organizations, limiting the ability of malicious actors to use the same techniques to execute multiple intrusions.

In conclusion, the importance of reporting ransomware attacks cannot be overstated. By reporting incidents promptly, organizations can help authorities build a comprehensive picture of the current ransomware situation, enabling effective response and prevention. A culture of transparency is essential to combat ransomware and support victims in responding and recovering from attacks.