RANSOMWARE INCIDENT REPORTING
Earlier this month, infosec experts reported that businesses which have suffered a cyberattack were often reluctant to report the incident. Alarmingly, enterprise-scale operations, typically most vulnerable to cybercrime, were the main culprits failing to report incidents. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has launched its ‘Stop Ransomware’ site, the U.S. Government’s official one-stop location for resources to tackle ransomware more effectively. ‘Stop Ransomware’ also provides a ransomware readiness self-assessment, the Cyber Security Evaluation Tool. The site also states that
“Every ransomware incident should be reported to the U.S. government.”
In the UK, the National Cyber Security Centre (NCSC) provides essential information, guidance and advice on ransomware. Businesses can also report an incident on the NCSC site. Technical Lead of Incident Management at the NCSC, Toby L, issued these words of caution about not reporting an incident as well as the impact of a ransomware attack:
“The final thing I’ve noticed over the last few years, is that recovering from a ransomware incident is rarely a speedy process. The investigation, system rebuild and data recovery often involves weeks of work. Whilst COVID has tested business continuity planning more than most events, operating without IT (and just pen and paper) is a different proposition altogether.”
THE GOOD GUYS WIN
Despite the lack of effective incident reporting, in 2021 law enforcement agencies in the U.S., the UK and Europe were successful in taking out some of the main cybercriminal game players. These successes included:
- The Cyber Police of Ukraine arrested 5 suspected ransomware affiliates who were accused of extorting more than $1 million out of victims.
- In an international takedown in October, the affiliates of REvil ransomware, the bad actors responsible for the hacking Kaseya, JBS, the Brazilian meat processor, and HX5, the Florida-based space and weapon-launch technology contractor, were arrested.
- Along with several arrests, the FBI was able to recover $2.3 million of the $4.4 million paid by Colonial Pipeline in Bitcoin after the energy supplier was hacked by Darkside ransomware actors in May.
Colonial Pipeline, JBS and Kaseya all acted responsibly by reporting the incident to the relevant authorities.
WHY DON’T BUSINESSES LIKE INCIDENT REPORTING?
The question remains as to why enterprises are reluctant to report incidents? After all, law enforcement agencies are there to help and support, not hinder. Roger Grimes, a data-driven evangelist at KnowBe4, says:
“They have even said that getting any of those entities (CISA, FBI, Secret Service) involved could actually result in reduced liability, because they help you steer clear of OFAC violations, at the very least and offer helpful advice.”
Nevertheless, organizations still are reticent when it comes to incident reporting. Grimes thinks that these are the main reasons:
- CEOs fear that law enforcement agencies will take control and executive management does not want decisions that impact the company and its stakeholders made by outsiders.
- The increased interest shown by the U.S. and global agencies makes incident reporting a complicated process and companies don’t have the time to follow through.
- The involvement of the law usually does not lead to arrests or the retrieval of ransom paid to hackers.
- Ransomware attacks can be crippling so companies that experience it don’t have time to catch the bad guy, they simply want to get back to business. In this regard, Stephen Reynolds, a partner at multinational law firm Baker McKenzie who participates in incident reporting discussions made by clients and also a former computer programmer and IT analyst, said
“They want to report to law enforcement, but ransomware attacks are very, very crippling on a company and organization. They’re really just trying to get their systems back and get back to functioning properly. I think they aren’t as motivated to catch the bad guy; that’s really law enforcement’s bigger priority.”
YOUR INCIDENT REPORTING SOLUTION
Reynolds is right. Involving law enforcement or trying to take out the bad actors following a cyberattack is a massive drain on resources and money. In the first place, you shouldn’t need to report an incident as a ransomware hack can always be avoided. How do you do this? The answer is simple. Hand your cybersecurity over to somebody who has 20+ years of experience in cybersecurity and risk mitigation. I will give you all the advice and guidance that you need to keep your IT network and precious data out of harm’s way. Incident reporting need never be an item on your agenda. Forget the FBI and contact me now.