Victims Aren't Reporting Ransomware Attacks, FBI Report Concludes (bleepingcomputer.com) 87
Catalin Cimpanu, writing for BleepingComputer: Despite being an expanding threat, ransomware infections are rarely reported to law enforcement agencies, according to conclusions from the 2016 Internet Crime Report (PDF), released yesterday by the FBI's Internet Crime Complaint Center (IC3). During 2016, FBI IC3 officials said they received only 2,673 complaints regarding ransomware incidents, which ranked ransomware as the 22nd most reported cyber-crime in the US, having caused just over $2.4 million in damages (ranked 25th). The numbers are ridiculously small compared to what happens in the real world, where ransomware is one of today's most prevalent cyber-threats, according to multiple reports from cyber-security companies.
Big surprise: (Score:1)
Companies don't want outsiders to know that they have incompetent IT folk working for them. Or... they don't want people to know that they can't afford (or have chosen not) to upgrade their equipment and software. Or... they don't want people to know that management is incompetent.
Re: (Score:2)
We TOLD you encryption was a problem!"
Re: (Score:1)
If you bought Bitcoin at $0.10 per BTC, you'd look at a "Please pay us $300 in Bitcoins" and laugh as you proceed to give them what costed you less than 1 cent years ago.
I think the real lesson here is: buy Bitcoin now, laugh at everyone in a few years.
Re: (Score:3)
It is immaterial what they cost originally. It is pretty evident you have no understanding of wealth and money. Most rich people became rich and / or stay rich because they don't look at it the way you claim you do.
Re:Big surprise: (Score:5, Insightful)
Or they know that government agencies will provide zero help in solving their problem.
Re: (Score:2)
Re: (Score:1)
In my experience, less than zero: they will be an active hindrance.
Which would you rather do, just restore from backup, install whatever patches you missed, and send everyone to training, or lock down all your computers until the FBI can get around to copying them for evidence in a few weeks?
The FBI's problem is that every knows that getting them involved not only wouldn't help, it would make things worse.
Re: Big surprise: (Score:2)
Re: (Score:3)
Companies don't want outsiders to know that they have incompetent users working for them...
FTFY, since it's no secret who is responsible for infections 99.99% of the time.
Re: (Score:1)
In particular, they don't want outsiders to know they're so incompetent they don't even have backups.
Seriously, you don't need good security to thwart ransomware. Just restore from backup! Plain old backup that has been around long before we connected stuff to the internet. Back then, it protected us from disk & server failures. And knuckleheads with too much privilege deleting files.
Good security is to secure uptime & thwart spies. That is an arms race. Foiling ransomware is too easy.
Re: (Score:1)
and they know there is fuck-all that the FBI can do about it.
The FBI won't be able to decrypt the computers and will want them for evidence, making it more time consuming and expensive to get back to work.
It's like walking around a corner and being sucker-punched by someone, and while you are on the ground, you see a cop out of the corner of your eye, you call out "Can you give me a hand up.", and the cop steps on your hand and replies "Not yet, I'm busy collecting evidence."
Re: (Score:2)
Of course they aren't (Score:3)
Law enforcement isn't going to do anything to help you about ransomware hitting your computer. For the victim, it's a waste of time.
Re: (Score:1)
"Law enforcement isn't going to do anything to help you about ransomware hitting your computer. For the victim, it's a waste of time."
Patently false. The fully appropriate "whata moron" shrug of the LEO eyebrows should be more than enough to dissuade repeat events.
Re: (Score:2)
Re:Of course they aren't (Score:4, Interesting)
How likely is it that they will catch the people who did it? And if they do, how likely is that to reduce the chances of someone else doing the same thing?
If someone steals your car, you contact the cops because it's possible you'll get your car back. Even if not, it's sort of possible they'll find the car thief, because the city is only so big. But finding who put ransomware on your computer among billions of people all over the world?
Again, there's nothing in it for the victim.
Re: (Score:3)
Re: (Score:3)
Law enforcement isn't going to do anything to help you about ransomware hitting your computer. For the victim, it's a waste of time.
Ever consider the possibility that the cybercrime division actually could help by guiding an unknowing victim to available solutions to recover data instead of them blindly assuming all is lost and prematurely formatting hard drives?
Let's not act like ransomware key recovery is some mythical event that's never happened before, or assume that every victim is aware of its existence.
Re: (Score:1)
I did consider it for a moment, and then I laughed my ass off.
Re:Of course they aren't (Score:4, Interesting)
Ever consider the possibility that the cybercrime division actually could help
No. I was actually involved in a criminal case involving the FBI's cybercrime unit, and I would not even consider the possibility that they could figure out how to turn a computer on. I never met a group of more clueless people. The guy leading the investigation had been a history major in college, and had made no effort whatsoever to learn anything about technology. His subordinates were even dumber.
Disclaimer: I was not the target of the investigation. The FBI contacted me because I had previously won a civil suit against the perp, and knew a lot about his business practices.
Re: (Score:2)
Re: (Score:2)
Oh, they might've paid a lost less than a million dollars for it.
From April, 2016:
At a conference on global security in London, a moderator asked James B. Comey Jr., the F.B.I. chief, how much bureau officials had to pay the undisclosed outside group to demonstrate how to bypass the phone’s encryption.
“A lot,” Mr. Comey said, as audience members at the Aspen Institute event laughed.
He continued: “Let’s see, more than I will make in the remainder of this job, which is seven years and four months, for sure.” ...
The F.B.I. director makes about $185,100 a year — so Mr. Comey stands to earn at least $1.35 million at that base rate of pay for the remainder of his 10-year term.
F.B.I. Director Suggests Bill for iPhone Hacking Topped $1.3 Million [nytimes.com]
So, the new lower bound for the cost of the hack now that we've actually measured how much time Comey really had left is about $170,000.
Re: (Score:1)
Field agents for most places are like that. The actual technical people aren't called in unless absolutely necessary. A non-profit group I'm involved with was a victim of cybercrime where they managed to spearphish an officer to wire money to someone 1000 miles away. The recipient then used the information from the wire transfer to social engineer the bank and empty the account. Half a million gone in less than a day. It literally took them months to get the necessary warrants on the recipients account
Re: (Score:2)
My employer contacted the FBI for a security incident in 2009-ish. We were told that they don't consider matters with damages less than $10,000. Is that still the case?
Re: (Score:2)
99% of the time, it's outside their jurisdiction anyway. How many domestic ransomware attacks have there been compared to China/Russia/Ukraine?
Re: (Score:2)
Seriously if you reported every con phone call, phishing attempt, ebay check cashing scam, malware site, or fraudulent snail mail how much of a time suck would that be? We're drowning in criminal activity these days... no surprise people just blow it off. (And now the role-model-in-chief is a fraudster so it's just going to get worse.)
I only report the ones that piss me off when I'm in a bad mood. (Actually I have a good coincidental record of seeing the government take the rare action right after I file
Why would anyone report to the FBI? (Score:1)
Re: (Score:2)
I filed a complaint a few days ago because some asshat tried to be cute with a dick pic of two men who bear a remarkable resembelance to me having sex. The dick pic by itself was nothing. Putting my name and URL was something else.
https://www.ic3.gov/ [ic3.gov]
Re: (Score:2)
Unless you paid money for a copy of the pics, you reported it to the wrong place. At best this is a civil issue, not criminal.
Re: (Score:2)
Unless you paid money for a copy of the pics, you reported it to the wrong place. At best this is a civil issue, not criminal.
This isn't just about the dick pic. It's three months of harassment on Slashdot that resulted in five user accounts being deleted and over two dozen DMCA takedown notices to remove my photo from image websites around the world.
Re: (Score:2)
None of that is their jurisdiction either.
Re: (Score:2)
None of that is their jurisdiction either.
Harassment across state lines, Russian websites, foreign nationals. The only thing lacking is someone named Trump.
Re: (Score:2)
And a /. user threatened to shoot me if I didn't shut up. They also threatened me with legal action, by sueing me in court, if I didn't shut up. Lastly they threatened to report me to the FBI. All because I said things their liberal mind didn't agree with.
Thanks to you I had to create a Python script to scrape my Slashdot comment history, making it very easy to reconstruct the events of the last three months.
I'm not sure why 5 other accounts were banned when it was YOU making death threats to other users.
File a complaint. I did and got results.
Re: (Score:2)
Yes, it was "something else." The real question is, what "something else" was it? It was certainly not a breach of the law.
Might be repeated violations of TOS at different websites under the computer fraud act.
Re: (Score:2)
Numerous courts have ruled that to breach a website's terms of service is not a criminal act. It is a contract violation, therefore a civil matter.
Re: (Score:2)
It's not like they are particularly trusted or trustworthy. And I've never even heard of the "Internet Crime Complaint Center" and that likely goes for most people. The average person would only contact the FBI if they expected that the FBI would have some chance of doing something about the bad guys, and I just don't see that happening.
Yep. I ran into a bit of scamware that would of used flash against me if not for many things (NX not enabled, Not being a 64bit system, and on).
Searching the number to of been called one finds many who complied with the scam top the list while scammers themselves follow. Google 1-844-667-1499 some reported it some didn't from their post and even then it was to the FTC or FCC.
Re: (Score:2)
And no I myself didn't report it, submitted it to /. who didn't deem it worthy... Trax3001bbs hands in pocket, looks at ground and slowly kicks at the dirt.
Re: Why would anyone report to the FBI? (Score:2)
Maybe they have editorial standards? Of !== have, which you did twice in your parent post.
Wait, no... They don't have standards. It is obviously personal, and they don't like you.
Re: (Score:2)
Maybe they have editorial standards? Of !== have, which you did twice in your parent post.
Don't get me wrong it was a badly written piece and not complete, better off being posted to my journal.
Re: (Score:2)
Oh, I was just giving you shit for "of." Would have... Could have... etc...
Is there a reason to bother? (Score:1)
Re: (Score:2)
This. Ransomware executed on a desktop at my office while I was on vacation last year. It encrypted many files on the local HDD and a large fraction of the file shares. The source was soon found, cleaned up, and the affected files were restored from backups. What's worth reporting?
Why bother? (Score:1)
Most companies don't report ransomware attacks to the FBI because most companies consider it a waste of time. Everyone knows that if you get hit by ransomware, there's only three possible outcomes:
1. You consider the encrypted data lost, and move on without it, or roll back to your freshest, unencrypted backup.
2. You pay the ransom and hope to get the data back.
3. You get lucky and the ransomware that hit you is one that's already been broken and you're able to recover the data yourself.
There's nothing the
What should I report? (Score:4, Insightful)
I get on the order of 50,000 attack probes every day. Should I be cataloging and report each one to the FBI?
What makes a ransomware attack a special snowflake attack that needs reporting compared to spyware or bot install attempts?
Re: (Score:2)
Actually, yes: there should absolutely be a public API that people can use to report automated attack probes to the FBI.
That sounds so open to abuse that malware writers everywhere are just salivating thinking about it.
Goddamit ... (Score:2)
... when we say, "Don't go to the police [variety.com]," we mean it.
Soon after, another email from the Dark Overlord arrived at Larson. “They said they felt they owed us an explanation as to why they had done it,” said Jill Larson. In the email, the hackers argued that Larson Studios had broken the terms of the agreement by talking to the FBI. “So they decided to punish us.”
No shit... (Score:2)
Last I checked, FBI said to just pay the ransom.
Why bother even reporting it.
When dealing with ransomware myself, I do check the FBI for decryption-keys before I start restoring from backups, but reporting?
Soon as I'm on the payroll, Hoover.
$ransom bad publicity ? (Score:4, Interesting)
If you file a report, is the FBI under any obligation to keep it confidential? I wouldn't trust them to stay quiet even if that was their official policy. Those guys who leaked the "Orange is the New Black" episodes somehow learned that the studio had called the FBI, after being warned not to, and punished them for doing it, even though they paid the ransom.
I read one paper by a security expert and he said that big banks in Europe and N. America have been doing this for years. Eat the losses from computer crime as a cost of doing business rather than risk damage to their reputation by reporting that someone had broken into their customer's accounts.
I'm sure a lot of other companies would rather pay up than endure the bad publicity which would come from word getting out that "Company X was hacked".
Why would I convict myself? (Score:3)
Re: (Score:2)
That's about like the oil companies arguing that they had to pay bribes to Nigerian officials because that was the only way to get things done. Now, the authorities are catching up with them, and the companies are paying a big price. Refusing to report ransomware to authorities because of fear of getting busted for paying ransoms...is short-sighted.
Re: (Score:2)
Well, duh (Score:2)
What would be the point?