As ransomware infections have spread through enterprise networks and infected millions of consumer devices, security experts and law enforcement officials have continued to search for answers. Now, the FBI is asking for victims who have been infected to come forward and detail their issues as a way for the agency to get a better understanding of the threat and its scope.
Ransomware began as a consumer problem, with most victims being infected through phishing messages or drive-by downloads. The volume and variety of ransomware strains has expanded quickly in the last couple of years, with some attacks specifically targeting enterprises now. The SamSam ransomware, for example, has claimed some high-profile corporate victims and has the ability to spread on its own once inside a network.
The FBI has been warning consumers and businesses about ransomware infections frequently of late, and the bureau now is appealing to victims to report their infections to help both the FBI and other victims.
“The FBI is urging victims to report ransomware incidents regardless of the outcome. Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims,” the FBI’s Internet Crime Complaint Center said in an alert Thursday.
Ransomware victims often are reluctant to disclose the infections, especially for corporate compromises. Many businesses have regulatory and legal issues they have to consider with security incidents, and consumers may not know where to go if they’re infected. FBI officials and security experts have said for years that victims should not pay the ransom if they’re infected, which often is easier said than done, especially for individual victims who may not have good backups. But the FBI warns that even if you do pay the ransom, you may not get what you’ve paid for.
“All ransomware variants pose a threat to individual users and businesses. Recent variants have targeted and compromised vulnerable business servers (rather than individual users) to identify and target hosts, thereby multiplying the number of potential infected servers and devices on a network,” the IC3 alert says
“Actors engaging in this targeting strategy are also charging ransoms based on the number of host (or servers) infected. Additionally, recent victims who have been infected with these types of ransomware variants have not been provided the decryption keys for all their files after paying the ransom, and some have been extorted for even more money after payment.”
The IC3 site has a form through which victims can report infections.