The Role of Law Enforcement in Remediating Ransomware Attacks
In many cases in the past, fear of negative press and customer loss kept victims of ransomware attacks from making the attacks they suffered public. The main reason that trend has changed, and that reporting incidents has become more common, is the efficacy of law enforcement assistance in remediating a ransomware attack. Surveys of available data by Sophos have shone a light on the specific ways in which law enforcement has been of use. The Sophos state of ransomware survey shows that 59% of surveyed organizations were hit with ransomware attacks in the last year (down from 66% in 2022 and 2023), but 97% of afflicted organizations engaged with law enforcement due to the attack, up significantly from previous years. Of those organizations, 61% reported receiving advice on dealing with the attack, 60% got help with investigations the attack, and 40% reported receiving help with attack recovery. When asked about ease of engagement, more than half reported that the process of engaging with law enforcement was at least somewhat easy.
The 3% of respondents who did not report their attack to law enforcement gave a variety of reasons for their decision. The most common reasons given were that they believed it would have a negative effect on their organization, such as fines, charges, or extra work, or that they believed there would be no benefit to reporting the attack to law enforcement. Others reported that they were warned by attackers not to engage with law enforcement, or that they did not think law enforcement would be interested in engaging with them.
Incidentally, a very encouraging sign from this survey is that 98% of respondents who experienced data encryption were able to retrieve their data. 68% of those respondents were able to use backups to restore their data, compared to 56% who paid the ransom to restore their data. 47% of respondents reported using more than one method, including backups, payments, or other means, including working with law enforcement or using public decryption keys.