Ransomware Attacks Up, But Victims Not Reporting to Police

By Patrick W. Dunne

Ransomware attacks were the most-observed cyberthreat last year — in part because of COVID-19 and more employees working from home — but many victims did not report the attacks to authorities, mostly out of fear of reprisal, experts told Digital Privacy News.

“We got about 2,700 ransomware cases in 2019,” said Keith Wojcieszek, a former U.S. Secret Service agent and managing director of the cyber risk practice at Kroll, the New York cybersecurity firm that recently released survey findings on the issue.

“That number increased by 100% in 2020,” he added. “COVID-19 and work-from-home orders played a huge role in ransomware’s prevalence.”

Ransomware attacks computer systems and locks data with encryption. Hackers then demand payments to release the information — often sending news releases to media outlets or stock exchanges, “shaming” victims should they not pay.

Ransomware gangs, which often demand cryptocurrency payments because they are difficult to trace, made at least $350 million last year, the New York blockchain-analysis company Chainalysis disclosed in January.

The figure was up more than threefold over 2019, but officials cautioned that actual numbers likely were much larger, as their dataset was incomplete because of companies not reporting.

Globally, Europol, the European Union Agency for Law Enforcement Cooperation, based in the Netherlands, reported last year that ransomware attacks remained extremely underreported and that many victims don’t come forward to law enforcement.

But some companies have paid ransoms to get their data back, possibly violating U.S. Treasury Department regulations issued last October, officials told Digital Privacy News.

According to the agency’s Office of Foreign Access Control, paying ransomware may “embolden cyber actors to engage in future attacks” and “fund activities adverse to the national security and foreign policy objectives of the United States.”

No Assurances

Further, paying ransoms does not guarantee data will be returned.

Last year, 68% of U.S. companies hit by ransomware paid threat actors in hopes to receiving their data, according to a survey by Proofpoint Inc., a cybersecurity firm in Sunnyvale, Calif.

“COVID-19 and work-from-home orders played a huge role in ransomware’s prevalence.”

Keith Wojcieszek, Kroll cybersecurity firm.

Only 60% of those companies, however, instantly regained access to their data after the first payment — and 34% had to pay additional ransoms, Proofpoint found.

In addition, 6% of those victims refused to pay the additional demands, never having their data returned, and 2% retrieved no data — even after paying any ransom.

COVID’s Impact

According to Kroll’s Wojcieszek, many usual ransomware attack vectors — phishing scams, for instance — were more vulnerable because of the pandemic.

Remote workers are much easier for hackers to exploit due to insecure Wi-Fi networks and technology, he said.

In other words, ransomware attacks are more dangerous now than ever before, Wojcieszek told Digital Privacy News, yet many companies still might not report such breaches.

“In March 2020, companies sent their employees to work from home — leaving them with a much-less-secure infrastructure compared to that of their companies,” he said.

“It’s a very challenging task to make sure your remote employees are just as safe and secure as they would be in the office,” he added. “The bad guys know this and were ready to take advantage of this opportunity.” 

Fears of Reprisal

Companies may not report ransomware attacks for many reasons, experts said. They include fears of reprisal, skepticism about law enforcement’s effectiveness — or beliefs that reporting is simply a waste of time.

Not reporting, however, might do more damage in the long run. 

“Many companies tend to falsely assume that reporting to law enforcement is pointless,” Wojcieszek said.

“They don’t believe that law enforcement has the capabilities to deal with their problems,” he added. “They think: ‘I’ve already been attacked. Why do I need to report?’” 

But the lack of reporting is a serious problem, cybersecurity experts said.

“Reporting attacks helps the FBI better understand the scope of the ransomware problem and can provide evidence to further an FBI investigation seeking to stop the cybercriminals responsible,” Scott Hellman, FBI cyber supervisory special agent in San Francisco, told Digital Privacy News.

Losses at $8.9 Million

The urgency for increased reporting comes as ransomware attacks are causing massive financial damage to companies, according to the most-recent data from the agency’s Internal Crime Complaint Center (IC3).

 “In 2019,” Hellman said, “the IC3 received 2,047 complaints identified as ransomware, with adjusted losses of over $8.9 million.

“The FBI understands the difficult position and decisions a company faces in a ransomware attack.”

 Scott Hellman, FBI, San Francisco.

“Those losses drastically understate actual losses to the victims — as they don’t account for cost of rebuilding a network or the cost of lost revenue during down time.” 

Last year, IC3 saw almost 4,000 cybercrime reports every day — up more than threefold over last year’s average of 1,300 a day.

Legal Requirements

Some companies may be legally obligated to report attacks, depending upon the nature of the data stolen and the state in which victims reside.

Private companies, however, are not required to disclose breaches to the FBI.

“The FBI understands the difficult position and decisions a company faces in a ransomware attack,” Hellman told Digital Privacy News.

“Companies are weighing the cost of potentially quickly receiving their data back through payment against the cost of rebuilding their network from backup.”

Reporting cyberattacks also could affect a company’s market value, earnings — or invite litigation, experts said.

Ian Stewart, co-chair of the national cybersecurity and data privacy practice at the Wilson Elser law firm in New York, said: “Most clients continue to see reporting to law enforcement as something to be avoided — believing that it will cause bad publicity, unwelcome scrutiny by regulators and time-consuming and expensive follow-up work that may give rise to potential litigation.”

Hit to Stock Prices

For instance, a 2019 analysis of three major data breaches — Marriott International in 2018, Equifax in 2017 and Yahoo in 2016 — found that their stock prices dropped an average of 7.5%.

Each decline translated to a market cap loss of about $5.4 billion per company, according to a report by Bitglass Inc., a cloud-security company in Campbell, Calif.

The breaches also cost the companies an average of $347 million in legal fees, costs and penalties. 

The Yahoo attack, the report found, damaged the company’s reputation so severely that it affected its merger with Verizon in 2017, causing it to sell at a $350 million discount.

“Companies are rightfully concerned about the reputational harm that comes from this kind of bad publicity,” Wojcieszek said. “Everyone knows about the attacks against companies like Target, Equifax, and, more recently, Solar Winds.”

How Hackers Think

Still, such fears shouldn’t keep companies from reporting cyberattacks, he said.

“In my experience working with law enforcement, reporting actually helps delay media coverage,” Wojcieszek observed. “Releasing information about an investigation is harmful to that investigation.”

He noted that hackers he had arrested while at the Secret Service paid close attention to news headlines and were very well aware if someone was onto them.

“Most clients continue to see reporting to law enforcement as something to be avoided.”

Ian Stewart, Wilson Elser law firm.

“Once you start alerting these bad guys, they’ll start to cover their tracks — and it’s the last thing you want them to do,” Wojcieszek said. “It’s no different than how a robbery suspect might try and hide what they’ve stolen.”

But perhaps the best offense for companies against ransomware attacks is a good defense — stronger security measures — he told Digital Privacy News.

“Being prepared and understanding your risk is so extremely important,” Wojcieszek said.

“Whether it is making an instant-response plan or just understanding potential attackers, every company should prepare themselves.”

Patrick W. Dunne is a San Francisco writer.