Fraud Management & Cybercrime , Ransomware
Law Enforcement's Role in Remediating Ransomware Attacks
Different Countries Have Different Levels of Law Enforcement InvolvementIn the early years of ransomware, many victims were reluctant to admit publicly that they had been hit for fear of negative press and customer attrition.
See Also: How to Take the Complexity Out of Cybersecurity
More recently, ransomware victims are increasingly willing to acknowledge an attack. This is likely driven in part by the normalization of ransomware. Our State of Ransomware reports reveal attack rates above 50% for the last three years, and public acknowledgement of an attack by well-known brands is commonplace. Being hit by ransomware is no longer perceived to be shameful.
The increase in mandatory reporting of attacks in many jurisdictions is also likely driving greater disclosure.
Although there has been a general sense that reporting has increased, detailed insights and regional comparisons have been hard to come by - until now. Data from this year's Sophos State of Ransomware survey reveals how reporting levels and official responses vary across 14 countries.
Reporting a Ransomware Attack Is a Win-Win
The nature and availability of official support when dealing with a ransomware attack vary on a country-by-country basis.
Reporting an attack has the following benefits for the victim and the official bodies that support them:
- Immediate remediation support: Governments and other official bodies can often provide expertise and guidance to help victims remediate the attack and minimize impact.
- Policy guidance insights: Protecting businesses from cybercrime, including ransomware, is a major focus for many governments. The more insights officials have into attacks and their impact, the better they can guide policies and initiatives.
- Attacker takedown enablement: Timely sharing of attack details assists global efforts to take down criminal gangs, such as LockBit in February 2024.
With these benefits in mind, the insights from the survey make encouraging reading.
Insight 1: Most Ransomware Attacks Are Reported
Globally, 97% of ransomware victims in the last year reported the attack to law enforcement and/or official bodies. Reporting rates are high across all countries, surveyed with just 10 percentage points between the lowest rate of 90% in Australia and the highest - 100% in Switzerland.
The findings reveal variations by industry. In sectors with high percentages of public sector organizations, almost all attacks are reported.
Insight 2: Law Enforcement Almost Always Assists
For organizations that report the attack, the good news is that law enforcement and/or official bodies almost always get involved. Overall, just 1% of the 2,974 victims surveyed said that they did not receive support despite reporting the attack.
Insight 3: Support for Ransomware Victims Varies by Country
Respondents that reported the attack received support in three main ways:
- Advice on dealing with the attack - 61%
- Help in investigating the attack - 60%
- Help in recovering data encrypted in the attack - 40% of all victims and 58% of those that had data encrypted
The exact nature of law enforcement and/or official body involvement varies according to the organization's location. While more than half of victims received advice on dealing with the attack across all countries surveyed, the highest levels of support in this area were 71% of organizations in India and 69% of organizations in Singapore.
Indian respondents reported the highest level of support in investigating the attack at 70%, followed by South African respondents at 68%. The lowest rate - 51% - was reported in Germany.
Among those that had data encrypted, more than half globally - 58% - received support in recovering their encrypted data. India continues to top the chart, with 71% of those that had data encrypted receiving assistance in recovering it. The countries with the lowest propensity for victims to receive help recovering encrypted data are all in Europe: Switzerland at 45%, France at 49%, Italy at 53% and Germany at 55%.
Insight 4: Engaging With Law Enforcement Is Generally Easy
More than half - 59% - of those that engaged with law enforcement and/or official bodies said the process was easy. Only 10% said the process was very difficult.
Ease of engagement also varies by country. Those in Japan were most likely to find reporting difficult - at 60%, followed by those in Austria at 52%. Japanese respondents also had the highest propensity to find it "very difficult" to report the attack - 23%. Conversely, 75% of respondents in Brazil and 74% in Singapore were most likely to find it easy to engage, while Italian organizations had the highest percentage that found it "very easy" at 32%.
Insight 5: Attacks Are Not Reported for a Number of Reasons
There were several reasons why 3% did not report the attack. The two most common reasons were: concern that reporting it would have a negative impact on their organization, such as fines, charges or extra work, at 27%, and the feeling that there would not be any benefit to them in reporting it, also at 27%. Several respondents said they did not engage official bodies as they could resolve the issue in-house.
Conclusion
The survey findings reveal that reporting ransomware attacks is common, and victims almost always receive support as a result. Hopefully, these findings will encourage any organization that does fall victim in the future to notify its relevant authorities.
About the Survey
The Sophos State of Ransomware 2024 report is based on the findings of an independent, vendor-agnostic survey commissioned by Sophos of 5,000 IT/cybersecurity leaders across 14 countries in the Americas, EMEA and Asia-Pacific. All respondents represent organizations with between 100 and 5,000 employees. The survey was conducted by research specialist Vanson Bourne in January and February 2024, and participants were asked to respond based on their experiences over the previous year.