Last week, the FBI released another public service announcement about ransomware (this summer, you may recall, the FBI urged organizations and consumers to not pay ransoms). In this new PSA, the FBI is urging everyone to report ransomware attacks to law enforcement. According to eSecurity Planet:
Victims are asked to contact their local FBI office or file a complaint online at www.IC3.gov, and provide the date of infection, the ransomware variant involved, information on the victim company, how the infection occurred, the ransom amount demanded, the attacker's bitcoin address, the ransom amount paid (if any), the overall losses associated with the ransomware infection, and a victim impact statement.
I’ve been writing about cybersecurity for a long time, and I don’t recall the FBI asking people to report other types of malware attacks. However, the FBI’s PSA comes at a time when, as Brian Krebs reported, ransomware is becoming more targeted and more expensive. He wrote that instead of simply spamming millions of email users in hopes of a hit, the attackers are ready to move on to new tactics:
More well-heeled attackers may instead or also choose to spread ransomware using ‘exploit kits,’ a separate crimeware-as-a-service product that is stitched into hacked or malicious Web sites and lying in wait for someone to visit with a browser that is not up to date with the latest security patches (either for the browser itself or for a myriad of browser plugins like Adobe Flash or Adobe Reader).
Will the FBI’s latest ransomware-related PSA have any type of effectiveness? Guidance Software has conducted research over the past several months working with law enforcement in the event of a breach, and based on that background, Senior Product Manager Alfred Chung shared some thoughts with me via email. His belief is that the more information the FBI can gather about ransomware, the better equipped the agency will be to figure out who is involved with creating and distributing the malware. This, Chung said, can go a long way in the overall efforts against the spread of malware:
Attribution is a key component of cybersecurity which can lead to an understanding of the tactics, tools and procedures (TTPs) employed by these groups and a better chance to prevent/mitigate their attacks in the future. Without an understanding of the attacker, their targets, and their TTPs, cyber-attacks appear to take on random characteristics making them more difficult to prevent/mitigate in the future.
Where the FBI’s PSA falls short, Chung added, is that it is voluntary, not a mandatory call to action. Some organizations may feel that by reporting a ransomware attack, they will suffer a negative public backlash:
Apart from mandating the reporting of ransomware attacks and imposing penalties for non-compliance, companies may soon view being a victim of a cyber-attack as something not exceptional but part of standard business operations since breaches are so often reported in the media. Companies may be more willing to report breaches if there’s less stigma attached to being a victim.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.