How to Report Ransomware
May 5, 2020 By Jack Vines
Ransomware was responsible for more than $7.5 billion in damages in the United States in 2019 alone. Attacks are so common, hackers attack a business or an individual online every 39 seconds, over 2,000 times per day. It’s likely someone in your organization will fall victim to a common ransomware attack method. What happens when your network is infected? This article discusses how to report ransomware.
But first, if you haven’t already, catch up on the rest of the series:
If you’ve been infected with ransomware, it’s important to first understand what actions to take and in what order.
Your employees are the first line of defense in preventing ransomware. Before any malware is detected, they should be properly trained in what to look for in a ransomware attack, specifically, phishing emails and fake websites.
As part of your security defense plan, include examples of ransomware and occasional testing of cybersecurity best practices. Many IT teams will create a sample phishing email and send it to their organization to see who can spot the attack and who may fall for a deceptive email in the future.
It’s also important to include any vendors or partners in your security defense plan. Ensure that they are properly trained so they don’t add any additional risk to your network. If you need help, enlist the help of an established security training business like Digital Defense, Inc. or KnowBe4.
For more information about how to prevent ransomware attacks and training methods you should include for your organization, read here.
What happens when your organization has implemented all necessary prevention methods, trained employees on how to spot an attack email or a fake website, and then an incident occurs? What is your incident response plan?
Only 16% of organizations have a cybersecurity task force and only 4% are developing an incident response plan. Source.
It’s time to create your incident response plan and include it as part of your employee training.
How to Report Ransomware Internally
1 - Detect the ransomware attack. This could be in the form of a phishing email or an accidental click on a pop-up ad or even a visit to a fake website where a drive-by downloading has occurred.
2 - After the employee recognizes the incident, it’s important that they stop what they are doing and report the ransomware to both their boss and the IT department. Make it clear how the employee should report the ransomware--likely using another device that isn’t compromised--logging the event in a ticketing system or escalating the report via a chat communication platform or even picking up the phone to call in the incident.
3 - Require the employee to record all information regarding the incident--date and time it occured, website or email that triggered the event, and any messages that appeared demanding the ransom.
4 - If it’s your internal policy to disconnect from the network, ensure the employee removes the infected device from your network and the IT team can then start their diagnostic test of how far the ransomware has spread. To learn about how ransomware spreads, read here.
All internal ransomware needs to be reported internally so your IT department can isolate the attack, protect the rest of the network, and work with your legal and finance department on how best to proceed with the ransomware demand. For more information about what to do in the case of a ransomware attack, read here.
How to Report Ransomware Externally
Depending on your specific industry, the type of files that have been stolen, encrypted, or held for ransom, who will be infected because of the attack, and the repercussions for the business, you may need to report the ransomware attack externally.
Here are a few questions to ask after a ransomware attack:
- What specific files were encrypted?
- Was any customer information stolen? If so, what specifically has been compromised?
- How did the ransomware attack occur? Have you isolated the infected areas of the network or specific devices?
- What damage control will need to be done because of the attack?
- What will be the restitution cost for credit monitoring services provided to your customers?
- Were any vendors or partners compromised?
- What will be the cost of incident communications to vendors or partners?
- Will there be any fines associated with the loss of specific data in the attack?
Your answers may help you determine who you need to report the ransomware attack to--outside of your organization. If customer data is compromised, you will need to notify your customers. If vendors or partners are compromised, you will need to notify each specific party.
If you choose to report your ransomware to the authorities, you can alert the cyber law enforcement authorities in your area. In the United States, the FBI has requested that ransomware attacks be reported. You can file a complaint online here or contact your local FBI office. Likely, you’ll be asked to report on the following information about the attack:
- Date of attack
- Company information
- Data compromised
- How the attack occurred
- Ransom requested and in what format (including address if Bitcoin is used)
- Ransom paid, if paid
- Total losses incurred from the attack
State laws also dictate what you may or may not need to report externally. Be sure to check with your local state laws and include that in your incident plan in case of an attack.
In all scenarios, it’s best if your IT, finance, and legal team work together to find the right solution.
If you’re looking for a way to protect yourself against a ransomware attack, consider cybersecurity insurance. Check out our post about the right way to get coverage and making sure that coverage includes ransomware. Check it out here.