Victims Aren't Reporting Ransomware Attacks, FBI Report Concludes (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Victims Aren't Reporting Ransomware Attacks, FBI Report Concludes (bleepingcomputer.com)

Posted by msmash on Friday June 23, 2017 @07:20AM from the what's-happening dept.

Catalin Cimpanu, writing for BleepingComputer: Despite being an expanding threat, ransomware infections are rarely reported to law enforcement agencies, according to conclusions from the 2016 Internet Crime Report (PDF), released yesterday by the FBI's Internet Crime Complaint Center (IC3). During 2016, FBI IC3 officials said they received only 2,673 complaints regarding ransomware incidents, which ranked ransomware as the 22nd most reported cyber-crime in the US, having caused just over $2.4 million in damages (ranked 25th). The numbers are ridiculously small compared to what happens in the real world, where ransomware is one of today's most prevalent cyber-threats, according to multiple reports from cyber-security companies.

52 of 87 comments (clear)

Min score:

Reason:

Sort:

Big surprise: by Anonymous Coward · 2017-06-23 07:24 · Score: 1

Companies don't want outsiders to know that they have incompetent IT folk working for them. Or... they don't want people to know that they can't afford (or have chosen not) to upgrade their equipment and software. Or... they don't want people to know that management is incompetent.
1. Re:Big surprise: by Thud457 · 2017-06-23 07:41 · Score: 1
  
  "SEE?!
  We TOLD you encryption was a problem!"
  
  --
  the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
2. Re:Big surprise: by ShanghaiBill · 2017-06-23 07:47 · Score: 5, Insightful
  
  Or they know that government agencies will provide zero help in solving their problem.
3. Re:Big surprise: by geekmux · 2017-06-23 07:56 · Score: 2
  
  Companies don't want outsiders to know that they have incompetent users working for them...
  FTFY, since it's no secret who is responsible for infections 99.99% of the time.
4. Re:Big surprise: by edtice1559 · 2017-06-23 08:23 · Score: 1
  
  And also prosecute them if they pay the ransom!
5. Re:Big surprise: by Anonymous Coward · 2017-06-23 08:32 · Score: 1
  
  In my experience, less than zero: they will be an active hindrance.
  Which would you rather do, just restore from backup, install whatever patches you missed, and send everyone to training, or lock down all your computers until the FBI can get around to copying them for evidence in a few weeks?
  The FBI's problem is that every knows that getting them involved not only wouldn't help, it would make things worse.
6. Re:Big surprise: by Anonymous Coward · 2017-06-23 09:30 · Score: 1
  
  If you bought Bitcoin at $0.10 per BTC, you'd look at a "Please pay us $300 in Bitcoins" and laugh as you proceed to give them what costed you less than 1 cent years ago.
  I think the real lesson here is: buy Bitcoin now, laugh at everyone in a few years.
7. Re:Big surprise: by Zero__Kelvin · 2017-06-23 09:54 · Score: 2
  
  $300 is $300 not $0.10
  
  It is immaterial what they cost originally. It is pretty evident you have no understanding of wealth and money. Most rich people became rich and / or stay rich because they don't look at it the way you claim you do.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
8. Re: Big surprise: by thundercattt · 2017-06-23 09:56 · Score: 1
  
  That's exactly it. Whoever you report it to goes "o well, it's from another country. Can't do anything about it". So why report it, suck it up and then install Linux.
9. Re:Big surprise: by Anonymous Coward · 2017-06-23 10:56 · Score: 1
  
  In particular, they don't want outsiders to know they're so incompetent they don't even have backups.
  Seriously, you don't need good security to thwart ransomware. Just restore from backup! Plain old backup that has been around long before we connected stuff to the internet. Back then, it protected us from disk & server failures. And knuckleheads with too much privilege deleting files.
  Good security is to secure uptime & thwart spies. That is an arms race. Foiling ransomware is too easy.
10. Re:Big surprise: by davester666 · 2017-06-23 19:42 · Score: 1
  
  and they know there is fuck-all that the FBI can do about it.
  The FBI won't be able to decrypt the computers and will want them for evidence, making it more time consuming and expensive to get back to work.
  It's like walking around a corner and being sucker-punched by someone, and while you are on the ground, you see a cop out of the corner of your eye, you call out "Can you give me a hand up.", and the cop steps on your hand and replies "Not yet, I'm busy collecting evidence."
  
  --
  Sleep your way to a whiter smile...date a dentist!
Of course they aren't by Alan+Shutko · 2017-06-23 07:27 · Score: 2

Law enforcement isn't going to do anything to help you about ransomware hitting your computer. For the victim, it's a waste of time.
1. Re:Of course they aren't by bodog · 2017-06-23 07:30 · Score: 1
  
  "Law enforcement isn't going to do anything to help you about ransomware hitting your computer. For the victim, it's a waste of time."
  Patently false. The fully appropriate "whata moron" shrug of the LEO eyebrows should be more than enough to dissuade repeat events.
2. Re:Of course they aren't by tattood · 2017-06-23 07:32 · Score: 1
  
  It's not law enforcement's job to help you recover your data. Their job is to arrest the people who did it, which is equally, if not more, difficult to do.
  
  --
  WTB [sig], PST!!!
3. Re:Of course they aren't by Alan+Shutko · 2017-06-23 07:36 · Score: 3, Interesting
  
  How likely is it that they will catch the people who did it? And if they do, how likely is that to reduce the chances of someone else doing the same thing?
  If someone steals your car, you contact the cops because it's possible you'll get your car back. Even if not, it's sort of possible they'll find the car thief, because the city is only so big. But finding who put ransomware on your computer among billions of people all over the world?
  Again, there's nothing in it for the victim.
4. Re:Of course they aren't by geekmux · 2017-06-23 07:41 · Score: 2
  
  Law enforcement isn't going to do anything to help you about ransomware hitting your computer. For the victim, it's a waste of time.
  Ever consider the possibility that the cybercrime division actually could help by guiding an unknowing victim to available solutions to recover data instead of them blindly assuming all is lost and prematurely formatting hard drives?
  Let's not act like ransomware key recovery is some mythical event that's never happened before, or assume that every victim is aware of its existence.
5. Re:Of course they aren't by Anonymous Coward · 2017-06-23 07:54 · Score: 1
  
  I did consider it for a moment, and then I laughed my ass off.
6. Re:Of course they aren't by ShanghaiBill · 2017-06-23 07:59 · Score: 3, Interesting
  
  Ever consider the possibility that the cybercrime division actually could help
  No. I was actually involved in a criminal case involving the FBI's cybercrime unit, and I would not even consider the possibility that they could figure out how to turn a computer on. I never met a group of more clueless people. The guy leading the investigation had been a history major in college, and had made no effort whatsoever to learn anything about technology. His subordinates were even dumber.
  Disclaimer: I was not the target of the investigation. The FBI contacted me because I had previously won a civil suit against the perp, and knew a lot about his business practices.
7. Re:Of course they aren't by Holi · 2017-06-23 08:30 · Score: 2
  
  It's more that for you to make an insurance claim you must have a police report. Your most likely not getting the car back unless it was just some joyriders.
  
  --
  Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
8. Re:Of course they aren't by ElizabethGreene · 2017-06-23 08:39 · Score: 1
  
  My employer contacted the FBI for a security incident in 2009-ish. We were told that they don't consider matters with damages less than $10,000. Is that still the case?
9. Re:Of course they aren't by omnichad · 2017-06-23 08:51 · Score: 1
  
  99% of the time, it's outside their jurisdiction anyway. How many domestic ransomware attacks have there been compared to China/Russia/Ukraine?
10. Re:Of course they aren't by phantomfive · 2017-06-23 09:58 · Score: 1
  
  Worth remembering when the FBI announces that North Korea (or anyone else) hacked someone.
  
  --
  "First they came for the slanderers and i said nothing."
11. Re:Of course they aren't by skids · 2017-06-23 13:04 · Score: 1
  
  Seriously if you reported every con phone call, phishing attempt, ebay check cashing scam, malware site, or fraudulent snail mail how much of a time suck would that be? We're drowning in criminal activity these days... no surprise people just blow it off. (And now the role-model-in-chief is a fraudster so it's just going to get worse.)
  I only report the ones that piss me off when I'm in a bad mood. (Actually I have a good coincidental record of seeing the government take the rare action right after I file one of my rare reports.)
  That being said, if the law enforcement and consumer protection agencies actually want more reports, they would be best advised to do some SEO so you can easily google which sites to report specific types of fraud. Though frankly, I'd not be surprised if in a few years consumer protection NPOs are sending out warnings not to give certain federal agencies any PII because they are so corrupt they are running cons with it.
  
  --
  Someone had to do it.
12. Re:Of course they aren't by Anonymous Coward · 2017-06-23 13:13 · Score: 1
  
  Field agents for most places are like that. The actual technical people aren't called in unless absolutely necessary. A non-profit group I'm involved with was a victim of cybercrime where they managed to spearphish an officer to wire money to someone 1000 miles away. The recipient then used the information from the wire transfer to social engineer the bank and empty the account. Half a million gone in less than a day. It literally took them months to get the necessary warrants on the recipients account to seize the funds and get financial information and then three months after that before I was contacted by the FBI's forensic accountant to get some information. Took forever to get the money (well, most of it) back and we had a hard time paying bills in the meantime. But back to my original point, it makes sense to me because why waste expertise until necessary. Most investigations like that are just paper pushing anyway.
13. Re: Of course they aren't by zippthorne · 2017-06-24 04:20 · Score: 1
  
  Oh, they might've paid a lost less than a million dollars for it.
  From April, 2016:
  
  At a conference on global security in London, a moderator asked James B. Comey Jr., the F.B.I. chief, how much bureau officials had to pay the undisclosed outside group to demonstrate how to bypass the phone’s encryption.
  “A lot,” Mr. Comey said, as audience members at the Aspen Institute event laughed.
  He continued: “Let’s see, more than I will make in the remainder of this job, which is seven years and four months, for sure.” ...
  The F.B.I. director makes about $185,100 a year — so Mr. Comey stands to earn at least $1.35 million at that base rate of pay for the remainder of his 10-year term.
  F.B.I. Director Suggests Bill for iPhone Hacking Topped $1.3 Million
  So, the new lower bound for the cost of the hack now that we've actually measured how much time Comey really had left is about $170,000.
  
  --
  Can you be Even More Awesome?!
Why would anyone report to the FBI? by pj2541 · 2017-06-23 07:28 · Score: 1

It's not like they are particularly trusted or trustworthy. And I've never even heard of the "Internet Crime Complaint Center" and that likely goes for most people. The average person would only contact the FBI if they expected that the FBI would have some chance of doing something about the bad guys, and I just don't see that happening.
1. Re:Why would anyone report to the FBI? by __aaclcg7560 · 2017-06-23 07:38 · Score: 1
  
  I filed a complaint a few days ago because some asshat tried to be cute with a dick pic of two men who bear a remarkable resembelance to me having sex. The dick pic by itself was nothing. Putting my name and URL was something else.
  https://www.ic3.gov/
2. Re:Why would anyone report to the FBI? by Trax3001BBS · 2017-06-23 08:54 · Score: 1
  
  It's not like they are particularly trusted or trustworthy. And I've never even heard of the "Internet Crime Complaint Center" and that likely goes for most people. The average person would only contact the FBI if they expected that the FBI would have some chance of doing something about the bad guys, and I just don't see that happening.
  Yep. I ran into a bit of scamware that would of used flash against me if not for many things (NX not enabled, Not being a 64bit system, and on).
  Searching the number to of been called one finds many who complied with the scam top the list while scammers themselves follow. Google 1-844-667-1499 some reported it some didn't from their post and even then it was to the FTC or FCC.
3. Re:Why would anyone report to the FBI? by omnichad · 2017-06-23 08:55 · Score: 1
  
  Unless you paid money for a copy of the pics, you reported it to the wrong place. At best this is a civil issue, not criminal.
4. Re:Why would anyone report to the FBI? by Trax3001BBS · 2017-06-23 09:02 · Score: 1
  
  And no I myself didn't report it, submitted it to /. who didn't deem it worthy... Trax3001bbs hands in pocket, looks at ground and slowly kicks at the dirt.
5. Re:Why would anyone report to the FBI? by __aaclcg7560 · 2017-06-23 09:22 · Score: 1
  
  Unless you paid money for a copy of the pics, you reported it to the wrong place. At best this is a civil issue, not criminal.
  This isn't just about the dick pic. It's three months of harassment on Slashdot that resulted in five user accounts being deleted and over two dozen DMCA takedown notices to remove my photo from image websites around the world.
6. Re: Why would anyone report to the FBI? by KGIII · 2017-06-23 09:28 · Score: 1
  
  Maybe they have editorial standards? Of !== have, which you did twice in your parent post.
  Wait, no... They don't have standards. It is obviously personal, and they don't like you.
  
  --
  "So long and thanks for all the fish."
7. Re:Why would anyone report to the FBI? by omnichad · 2017-06-23 09:32 · Score: 1
  
  None of that is their jurisdiction either.
8. Re:Why would anyone report to the FBI? by __aaclcg7560 · 2017-06-23 09:44 · Score: 1
  
  None of that is their jurisdiction either.
  Harassment across state lines, Russian websites, foreign nationals. The only thing lacking is someone named Trump.
9. Re:Why would anyone report to the FBI? by __aaclcg7560 · 2017-06-23 10:02 · Score: 1
  
  Yes, it was "something else." The real question is, what "something else" was it? It was certainly not a breach of the law.
  Might be repeated violations of TOS at different websites under the computer fraud act.
10. Re:Why would anyone report to the FBI? by JohnFen · 2017-06-23 11:26 · Score: 1
  
  Numerous courts have ruled that to breach a website's terms of service is not a criminal act. It is a contract violation, therefore a civil matter.
11. Re: Why would anyone report to the FBI? by Trax3001BBS · 2017-06-23 14:37 · Score: 1
  
  Maybe they have editorial standards? Of !== have, which you did twice in your parent post.
  Don't get me wrong it was a badly written piece and not complete, better off being posted to my journal.
12. Re: Why would anyone report to the FBI? by KGIII · 2017-06-23 15:52 · Score: 1
  
  Oh, I was just giving you shit for "of." Would have... Could have... etc...
  
  --
  "So long and thanks for all the fish."
Re:No surprise by tattood · 2017-06-23 07:29 · Score: 1

Or you are worried that their investigation might uncover other unrelated things that you would rather them not know about.

--
WTB [sig], PST!!!
Is there a reason to bother? by Presence+Eternal · 2017-06-23 07:31 · Score: 1

It's kind of futile to report them, isn't it? The US doesn't have any meaningful ability to deal with attackers in Nigeria, much less China or Russia. Or am I wrong? I'd be happy to tell my customers they have some recourse.
Why bother? by Anonymous Coward · 2017-06-23 07:45 · Score: 1

Most companies don't report ransomware attacks to the FBI because most companies consider it a waste of time. Everyone knows that if you get hit by ransomware, there's only three possible outcomes:
1. You consider the encrypted data lost, and move on without it, or roll back to your freshest, unencrypted backup.
2. You pay the ransom and hope to get the data back.
3. You get lucky and the ransomware that hit you is one that's already been broken and you're able to recover the data yourself.
There's nothing the FBI can do to alter those three options. The feds aren't going to track down the originator of the ransomware and force him to give you the decryption key. And even if they could, it would be pointless because very few companies could afford to spend the weeks, months, or even years it would take for the FBI to complete such an operation. I'd be willing to bet that for most companies that get hit by ransomware, the biggest headache is the halt to production that occurs while the data is being recreated or recovered, either from backups or by paying off the ransom. Adding the FBI to the mix does nothing but add more paperwork and more meetings to the this process.
What should I report? by TechyImmigrant · 2017-06-23 07:47 · Score: 3, Insightful

I get on the order of 50,000 attack probes every day. Should I be cataloging and report each one to the FBI?
What makes a ransomware attack a special snowflake attack that needs reporting compared to spyware or bot install attempts?

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
1. Re:What should I report? by phantomfive · 2017-06-23 10:14 · Score: 1
  
  Actually, yes: there should absolutely be a public API that people can use to report automated attack probes to the FBI.
  That sounds so open to abuse that malware writers everywhere are just salivating thinking about it.
  
  --
  "First they came for the slanderers and i said nothing."
Goddamit ... by CaptainDork · 2017-06-23 08:02 · Score: 1

... when we say, "Don't go to the police," we mean it.

Soon after, another email from the Dark Overlord arrived at Larson. “They said they felt they owed us an explanation as to why they had done it,” said Jill Larson. In the email, the hackers argued that Larson Studios had broken the terms of the agreement by talking to the FBI. “So they decided to punish us.”

--
It little behooves the best of us to comment on the rest of us.
No shit... by WolfgangVL · 2017-06-23 08:05 · Score: 1

Last I checked, FBI said to just pay the ransom.
Why bother even reporting it.
When dealing with ransomware myself, I do check the FBI for decryption-keys before I start restoring from backups, but reporting?
Soon as I'm on the payroll, Hoover.

--
You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
$ransom bad publicity ? by moeinvt · 2017-06-23 09:02 · Score: 3, Interesting

If you file a report, is the FBI under any obligation to keep it confidential? I wouldn't trust them to stay quiet even if that was their official policy. Those guys who leaked the "Orange is the New Black" episodes somehow learned that the studio had called the FBI, after being warned not to, and punished them for doing it, even though they paid the ransom.
I read one paper by a security expert and he said that big banks in Europe and N. America have been doing this for years. Eat the losses from computer crime as a cost of doing business rather than risk damage to their reputation by reporting that someone had broken into their customer's accounts.
I'm sure a lot of other companies would rather pay up than endure the bad publicity which would come from word getting out that "Company X was hacked".
Re:Why would you? by GameboyRMH · 2017-06-23 09:08 · Score: 1

This. Ransomware executed on a desktop at my office while I was on vacation last year. It encrypted many files on the local HDD and a large fraction of the file shares. The source was soon found, cleaned up, and the affected files were restored from backups. What's worth reporting?

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Why would I convict myself? by medv4380 · 2017-06-23 09:49 · Score: 2

Ransom laws get sticky so why should I report when paying them may or may not be illegal. If I report and it happens that paying the ransom is illegal then the ransom can't be paid and the FBI is slowing down recovery. If I pay the ransom to fix the problem but then report it I might get in trouble so why bother? On the other hand, If I just restore the backups I've also destroyed the evidence so Why would I report the problem?
1. Re:Why would I convict myself? by Tony+Isaac · 2017-06-25 16:28 · Score: 1
  
  That's about like the oil companies arguing that they had to pay bribes to Nigerian officials because that was the only way to get things done. Now, the authorities are catching up with them, and the companies are paying a big price. Refusing to report ransomware to authorities because of fear of getting busted for paying ransoms...is short-sighted.
2. Re:Why would I convict myself? by medv4380 · 2017-06-26 08:49 · Score: 1
  
  Perhaps, but I just restore from the tape backup, and nuke and pave the infected machines that aren't. Lost work? Let this be a lesson why you don't save to your desktop. No need to contact the FBI, and no money trail to lead back to me. Still is destruction of evidence and failure to report a crime. Who cares.
Re:Creimer assults with deadly weapons by __aaclcg7560 · 2017-06-23 09:58 · Score: 1

And a /. user threatened to shoot me if I didn't shut up. They also threatened me with legal action, by sueing me in court, if I didn't shut up. Lastly they threatened to report me to the FBI. All because I said things their liberal mind didn't agree with.
Thanks to you I had to create a Python script to scrape my Slashdot comment history, making it very easy to reconstruct the events of the last three months.

I'm not sure why 5 other accounts were banned when it was YOU making death threats to other users.
File a complaint. I did and got results.
Well, duh by JohnFen · 2017-06-23 11:20 · Score: 1

What would be the point?