How To Report Ransomware To Authorities

If you have been hit by a ransomware attack, it is critical to report the incident to law enforcement. This is how authorities will investigate these crimes and find the responsible group or individual behind the attack.

Vaccines and prevention are controlling the Covid-19 virus from spreading. But, the pandemic had other consequences that are still on, such as the increase in cyberattacks. And, just like employees should always tell when they catch Covid-19 and quarantine, businesses and organizations must always report ransomware attacks to competent authorities.

In the case of cyber attacks and ransomware, there are two basic rules:

NEVER pay the ransom

ALWAYS contact law enforcement.

What should you do in case of a ransomware attack?

US-based businesses and residents have a step-by-step to follow in case of a cyberattack.

Step 1. Disconnect infected devices to prevent the ransomware from spreading

Step 2. Contact your local FBI field office and then submit an electronic tip

Step 3. File a report with the FBI’s Internet Crime Complaint Center (IC3)

Step 4. Do not delete the ransomware. Both competent authorities and the IT team responsible for your data decryption and recovery will need information about the ransomware from the infected files. 

How to report a ransomware attack

Each country may require different information when reporting a ransomware attack. 

In the US, you must contact your local FBI field office or CISA. However, if you’re outside the USA, contact your country’s federal law enforcement or local police precinct to make sure you comply with your country’s regulations and proceedings.

To report your ransomware attack, please select your residing country below.

Contact Proven Data experts if you need help with ransomware removal and recovery.

What you need for reporting ransomware

While most internal IT staff can gather relevant information for law enforcement, a digital forensic examiner can obtain a triage of forensic artifacts on the targeted system. 

To report ransomware, US citizens and businesses have to provide authorities with as much information as possible, including:

  1. Your organization’s information (industry, business type, size) and best point of contact
  2. Approximate date and time of the ransomware attack
  3. How the attack occurred (via an email link or attachment, internet browsing, etc.)
  4. A copy or photo of the ransom demand note or screenshot
  5. Name of the ransomware variant (usually included in the ransom note or encrypted file)
  6. Any relevant IP addresses connected to your network that you do not recognize
  7. The file extension of encrypted files (if it has one). See the types of ransomware attacks
  8. Email address, URL, or any other communication method provided by the threat actor
  9. Electronic copies of any communication you have had with the cybercriminals (if applicable)
  10. Threat actor’s bitcoin wallet address (typically identified on the ransom page)
  11. Ransom amount demanded, and ransom amount paid (if any). See more about ransomware payment and the legal implications concerning it
  12. Overall losses associated with the ransomware attack

You can contact Proven Data experts If you need help collecting any of this information.

Why should I report a ransomware attack?

You might be skeptical of why you should report a ransomware attack to authorities. By reporting a ransomware attack to authorities, you can provide law enforcement agencies with critical data to track cybercrime and prosecute the perpetrators.

Help stop the spread of ransomware and report your attack immediately!

If you require further assistance remediating your ransomware incident or would like proactive ransomware services, our experts are here to help you.

Ransomware FAQs

There are three common ways ransomware attacks happen:

  1. Open RDP ports: Remote Desktop Protocol (RDP) is an access portal that allows a user or administrator to connect to your computer from another location. 
  2. Phishing emails: emails containing malware or malicious links that install a ransomware program on the computer when clicked
  3. Exploit kits: advanced malware tool that allows cyber criminals to target victims through security gaps in well-known software and hardware from popular technology manufacturers

There are four common methods to recover files from a ransomware attack

  1. Recover files with a backup. Find out if any data backup is in place to recover files from off-site or offline backups, cloud-based backups, and on-site backups
  2. Recreate the data. Utilize any available paper copies, email exchanges and attachments, and database mining practices to recreate the encrypted data
  3. Break the ransomware encryption. Unfortunately, some ransomware encryption is unbreakable. But you should always contact a ransomware recovery service to determine if there is a public decrypt key available for your particular variant.
  4. Contact a ransomware removal service. If the encryption is too strong, sometimes the only way to bypass the decryption and access your files is by hiring a recovery service

The FBI does not encourage paying the ransom, and there are consequences for those who pay. However, they do acknowledge paying the ransom as a last resort option. 

Our guide on the pros and cons of paying ransomware highlights the various outcomes of these situations. 

Cons of paying the ransom:
  • Faulty decryption key
  • Further attacks may occur due to open backdoors and vulnerabilities
  • The ethical dilemma of funding the cybercrime economy and even terrorism

Pros of paying the ransom:

  • Recover encrypted files
  • Quicker recovery

Following a ransomware attack, it is important you take the necessary steps to secure your network and avoid being victimized again. The National Institute of Standards and Technology  (NIST) recommends using a 4-step process of continuous incident response activities:

  • Preparation
  • Detection and Analysis
  • Containment, Eradication, and Recovery
  • Post-Incident Activity