Ransomware attacks have become one of the most common cyber crimes in recent years. Every year, the damages caused by ransomware go up by billions of dollars. Ransomware damages in 2020 exceeded $20 billion, while damages caused in 2018 were $8 billion. In just two years, damage caused by ransomware has more than doubled, and this increase is likely to continue in the years to come. 
Dealing with a ransomware attack is a long and complicated process, often involving making difficult decisions about recovering or losing data. Having backup and an effective data and system recovery plan can help make the process much easier. An important, often ignored, step in the process, however, is reporting the ransomware to authorities.
Individual users in particular often do not report the attacks to the appropriate authorities, whether it’s because they do not know they can or because they do not think the attack is significant enough to warrant filing a report. But reporting ransomware attacks is usually recommended. While it will not necessarily always lead to the apprehension of those responsible, it will provide law enforcement with valuable information about the ransomware in question.
For companies and organizations, not filing a report is usually not an option, primarily because ransomware attacks now involve stolen data. When personal data of employees or customers is involved, the incident must be reported to the appropriate parties.
Why reporting a ransomware attack is often encouraged, even necessary
For individual users, reporting a ransomware attack may be a matter of preference. However, it’s highly recommended that users still file a report with law enforcement, as they may be able to provide certain solutions that users may otherwise not be informed about. For companies and organizations, not reporting the incident is often not an option. Especially if they are targeted by a ransomware strain that not only encrypts files but also steals data. If any kind of employee or user personal information is stolen during an attack, companies/organizations are required by law to report the incident.
To pressure bigger victims (usually companies and organizations) to pay the ransom, ransomware operators have recently started stealing data, including source codes and personal information. Since most companies now have backup and are able to quickly restore full operations with minimal disruption, there is much less chance that they will be willing to pay the ransom. To combat this, cyber criminals steal data during a ransomware attack, and then threaten to publicly release the data if the ransom is not paid.
One relatively recent example of such an attack is the February ransomware attack against CD Projekt Red, a developer of popular video games Witcher 3 and Cyberpunk 2077. The cyber criminals behind this attack stole the source codes for these popular games and threatened to release them publicly if the company refused to pay an undisclosed amount of money in ransom. The company did not comply with the demands, and the stolen data indeed was released. This is certainly not an isolated incident, and companies now have to be prepared for these situations as well.
In case among the stolen data there is personal information of customers or employees, the law requires that the incident be disclosed not only to law enforcement but also to potentially affected users. However, even if reporting a ransomware attack was not necessary, it would still be encouraged. With every report about a particular ransomware, law enforcement gain valuable information that, while not immediately useful, may help get a clearer picture in the future.
Furthermore, victims reporting these incidents allows law enforcement to release more effective and up-to-date guidelines. For example, if a particular ransomware uses a specific vulnerability to get in, which is then reported by the victim, law enforcement and cybersecurity companies would be able to release warnings for others to immediately patch the vulnerability and avoid infection.
Lastly, reporting a ransomware attack is useful for victims as well, as law enforcement can advise on how to best deal with the situation, or at least refer to someone who can.
The process of reporting a ransomware incident
It’s important to gather as much information as possible before filing a report. Relevant information you should have on hand when filing a report with your local authorities is the following:
- Date and time the attack happened;
- How the ransomware may have gotten into the system (e.g. email attachments, vulnerability, etc.);
- A photo of the ransom note(s) dropped when files were encrypted;
- The name of the ransomware and which, if any, ransomware family it belongs to. If the name is not mentioned in the ransom note, the ransomware can be identified by the extension that it adds to encrypted files;
- File extension that’s added to encrypted files;
- Any contact email addresses provided by the operators of the ransomware (usually mentioned in the ransom note);
- Any communication you had with the cyber criminals;
- Information the cyber criminals have provided you, such as the ransom sum and the cryptocurrency wallet address(es).
The more information you can provide, the more of help law enforcement can be. However, it’s important to understand that tracking ransomware operators is not so simple. Cyber criminals operating ransomware, such as gangs like Dharma and Ryuk, often employ various techniques that make catching them quite difficult. So while reporting a ransomware will not necessarily lead to those responsible being apprehended, it will certainly help in the long run. Furthermore, in case the cyber criminals are ever caught, law enforcement would contact you and help with data recovery if no backup was available at the time of infection.
Once you have as much information as possible, you can contact your local law enforcement to file a report. Most law enforcement agencies have branches that specifically deal with cyber crime so you can contact them directly. However, if you’re not sure who to contact, you can call your local police’s non-emergency number and they should be able to direct you to the appropriate authorities.
If you are a victim of ransomware from USA:
- Contact your local FBI field office to request assistance, or submit a tip online.
- File a report with the FBI’s Internet Crime Complaint Center (IC3).
If you are a victim of ransomware from other countries , please report this incident to your local authorities:
| Australia ACSC |
Austria Polizei |
Belgium Police |
| Brazil Polícia Federal |
Bulgaria CyberCrime |
Canada Centre for Cyber Security |
| Croatia Ministry of the Interior |
Cyprus Cyber Crime Police |
Czech Republic Policie |
| Denmark Politi |
United Kingdom Action Fraud |
Estonia Politsei |
| Finland Poliisi |
France Ministère de l’Intérieur |
Germany Polizei |
| Greece Hellenic Police |
Hong Kong Hong Kong Police |
Hungary Rendőrség |
| India Cyber Crime Cell |
Iran Cyber Police |
Ireland Garda Síochána |
| Israel Nomoreransom project |
Italy Polizia di Stato |
Japan Cybercrime Project |
| Latvia Policija |
Lithuania ePolicija |
Luxembourg Police |
| Malta Pulizija |
Netherlands Politie |
New Zealand Police |
| Russia Ministry of Internal Affairs |
Scotland Police Scotland |
Singapore Singapore Police Force |
| Slovakia Ministerstvo Vnútra |
Slovenia Policija |
South Korea National Police Agency |
| Spain Policía Nacional |
Sweden Polisen |
Ukraine Cyber Police |
| United States IC3 |