How to report ransomware attacks: Steps to take

Should companies report ransomware to law enforcement agencies?

The answer is undeniably yes.

Law enforcement agencies across the globe suggest and sometimes require organizations to report ransomware. This helps governments track attackers, understand the threat landscape and even disrupt ransomware groups' operations.

Government agencies also often offer assistance to organizations currently suffering from a ransomware attack, as well as assist with post-attack remediation efforts.

Certain organizations in the U.S. will soon be required to report ransomware attacks to the authorities. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 -- expected to go into effect in 2026 after the Cybersecurity and Infrastructure Security Agency publishes its final rule in 2025 -- will require critical infrastructure organizations to report cyberattacks to CISA within 72 hours and ransom payments within 24 hours.

In September 2023, the Securities and Exchange Commission started requiring public organizations to disclose incidents within four days after an attack is deemed material. In January 2024, the Federal Communications Commission updated data breach reporting laws to require telecommunications carriers notify customers and federal law enforcement in the event of a breach.

Note that all states also have state-specific data breach disclosure laws, which could be applicable to ransomware if personally identifiable information is involved.

In some instances, a company might have to notify a federal agency before it receives payments from its cyber insurance provider, though not all insurers or policies require this.

When to report ransomware

Organizations should notify their respective law enforcement agency immediately upon determining they have suffered a ransomware attack. Companies are encouraged to report attacks even if they pay the ransom and even if the company stopped the attack before a successful data breach occurred.

If a company in the U.S. discovers a ransomware attack is currently underway, it can request assistance from the FBI or CISA to mitigate the attack.

While organizations can willingly report ransomware attacks to law enforcement agencies, the same can't be said about publicly revealing them. Due to the absence of any national U.S. ransomware attack notification law, some organizations pay with no one knowing. These companies' larger worry might be that the attack could hurt public perception or be used against them in competitors' marketing.

How to report ransomware attacks

Ransomware reporting varies by country. Organizations in the U.S., for example, can report an attack to the FBI, CISA the Secret Service or their local law enforcement -- though U.S. companies only need to report to one agency. Victims in the EU, Australia and Singapore have one reporting option.

How to report a ransomware attack to the FBI

To report a ransomware attack to the FBI, file a complaint with the Internet Crime Complaint Center. Organizations can also contact their local FBI field office. Expect to provide the following information:

• The date of the ransomware attack.
• How the infection occurred.
• Ransom amount demanded.
• Ransom amount paid, if any.
• The ransomware variant.
• The ransomware's file extension.
• Cryptocurrency type and address.
• Information about the company, such as industry, size, etc.
• Victim impact statement.
• Losses incurred due to the ransomware attack.

How to report a ransomware attack to CISA

To report ransomware to CISA, visit its services website. CISA has the following specific ransomware reporting requirements:

• Identify the current level of impact on agency functions or services.
• Identify the type of information lost, compromised or corrupted.
• Estimate the scope of time and resources needed to recover from the incident.
• Identify when the activity was first detected.
• Identify the number of systems, records and users impacted.
• Identify the network location of the observed activity.
• Identify point of contact information for additional follow-up.

CISA requires all submissions include the above information and also requests organizations provide the attack vector, indications of compromise and subsequent mitigation efforts, if known and applicable.

How to report a ransomware attack in the EU

Member states should visit the European Union Agency for Law Enforcement Cooperation website and select their country's reporting website or email. If a country doesn't have a website for cybercrime, companies should report ransomware to their local police station.

How to report a ransomware attack in Canada

Canadian companies that suffer a ransomware attack should contact their local law enforcement, the Canadian Anti-Fraud Centre and the Canadian Centre for Cyber Security.

How to report a ransomware attack in Australia

Australian companies should report a ransomware attack and request assistance for an ongoing attack from the Australian Cyber Security Centre website.

How to report a ransomware attack in Singapore

Organizations located in Singapore should make an online police report. Once filed, the Singapore Cyber Emergency Response Team under the Cyber Security Agency of Singapore will be notified.

If the ransomware attack results in a data breach, Singaporean companies should notify the Personal Data Protection Commission.

Reporting ransomware is only the first step

Once an organization has reported a ransomware attack and recovered, its focus needs to turn toward ransomware prevention. Companies should implement regular security monitoring, put business continuity plans and ransomware incident response plans in place, and have a team ready to execute on those plans.

Tips for enterprise ransomware prevention include the following:

• Use strong email protections and controls.
• Require MFA.
• Follow the principle of least privilege.
• Implement role-based access control.
• Create a ransomware-specific security awareness program.

Kyle Johnson is technology editor for Informa TechTarget's SearchSecurity site.