zephyr_p - stock.adobe.com

FBI IC3 report's ransomware numbers are low, experts say

The FBI's Internet Crime Complaint Center reported a massive increase in financial losses from 2020 ransomware attacks, but infosec experts say the problem is worse than statistics say.

According to newly released FBI data, ransomware continues its dramatic ascent. But some experts believe the problem is much worse than what the statistics indicate.

The FBI's Internet Crime Complaint Center (IC3) released its annual report on Wednesday, providing data on cybercrimes reported to the center in 2020 while breaking down the financial cost and victim complaints received last year into regional, financial and demographical statistics.

Ransomware, one of dozens of cybercrimes represented in the report, saw 2,474 incidents reported to IC3 last year alongside a total victim loss of over $29 million. That's up from nearly $9 million and 2,047 incidents in 2019 and $3.6 million and 1,493 incidents in 2018.

As usual, the FBI IC3 report noted the figures for ransomware losses are "artificially low" for several reasons. First, the report doesn't estimate financial impacts from lost business, service downtime, damaged IT assets or any costs associated with third-party response and remediation services. In addition, the FBI noted that victims sometimes do not report loss amounts to the FBI, suggesting a potentially higher loss. And finally, the report only tracks complaints to the IC3 and "does not account for victim direct reporting to FBI field offices/agents."

Chester Wisniewski, principal research scientist at Sophos, told SearchSecurity in an email that the ransomware incident figure from IC3 is "incredibly low" compared to the total ransomware actually happening.

"This number is incredibly low and is consistent with how inconsistent much of the data in this report is. This is only ransomware reported to IC3, not the FBI field offices," he said. "Almost no one in a business of any scale will contact IC3. Instead they would contact their local field office, or as we hear about so often, simply work with their insurance company and incident response partners to try keeping things from getting much attention."

Rapid7 chief data scientist Bob Rudis similarly told SearchSecurity that the ransomware numbers are low compared to the total ransomware out in the wild.

"It is definitely an undercount based on reporting from cyberinsurance companies and those who track digital currency payments to known coin addresses. I would be and have been comfortable using 'small fraction' in anything I personally wrote when discussing this topic. It's very hard to get good numbers because many organizations choose to pay the ransom and never disclose the incident," Rudis said.

Emsisoft threat analyst Brett Callow made a similar point, adding that Emsisoft data points to 10 times as many ransomware attacks in 2019.

"Ransomware incidents are undoubtedly underreported, as is cybercrime in general. In fact, IC3's 2016 Internet Crime Report stated that only 15% of crimes are reported. That may also be an underestimate," Callow said. "Our data indicates that there were at least 24,770 ransomware incidents in the U.S. in 2019, which is significantly more than the number of cases reported to law enforcement but still understates the real extent of the problem. Additionally, we estimated the cost of those incidents at just under $10 billion and, again, that too is undoubtedly an underestimate."

Rick Holland, CISO and vice president of strategy at Digital Shadows, pointed to the recent indictment for the Netwalker ransomware attacks.

"Look at January's Netwalker ransomware indictment. A single ransomware affiliate made over $27.6 million from his extortion activities. That is almost as much as the $29.1 million from the 2,474 complaints in the report," he said.

He added that there are multiple reasons why IC3's numbers are low.

"First, there is a lack of awareness; many organizations don't know how and when to work with law enforcement agencies like the FBI in general, and then when it comes to working with the IC3, there is even less awareness. The FBI does have Corporate Outreach agents and the InfraGard to help raise awareness in this area," Holland said. "The other reason is that many organizations remain hesitant to work with law enforcement. There isn't a national breach notification requirement that would compel disclosure, so volunteering information about an intrusion is less likely. Businesses are concerned about brand damage, regulatory oversight and civil legal actions, so many only engage when they have no other options."

Big losses from BEC attacks

Business email compromise (BEC) saw 19,369 IC3 complaints with over $1.8 billion in losses, making it the costliest cybercrime (ransomware was ranked #20). IC3's 2019 report had 23,775 complaints with a loss of over $1.7 billion, and in 2018, a nearly $1.3 billion loss from 20,373 complaints.

"In 2020, the IC3 observed an increase in the number of BEC/EAC complaints related to the use of identity theft and funds being converted to cryptocurrency. In these variations, we saw an initial victim being scammed in non-BEC/EAC situations to include Extortion, Tech Support, Romance scams, etc., that involved a victim providing a form of ID to a bad actor. That identifying information was then used to establish a bank account to receive stolen BEC/EAC funds and then transferred to a cryptocurrency account," the report read.

Asked about how ransomware is represented compared to BEC attacks in the report, $29 million vs. $1.8 billion, Rudis said that while ransomware may be underreported to authorities, BEC may still be on top.

"Ransomware is absolutely underreported to authorities but even if one were to add in some of the costs that were in the caveats in the report, I suspect BEC would still be the top threat. Ransomware might move into the top five to seven if we had better reporting and also included the caveated missing losses," he said.

Wisniewski said the report is challenging to interpret due to narrow data and inconsistencies.

"It is a difficult report to interpret. It is a subset of a subset of data that also somehow includes some international reports, but is not combined with other FBI or state and local law enforcement data. It also does not appear to be consistent with itself year over year, making comparisons hard. The interpreted results offer the most insights, especially on [business email compromise] and fraud against elders," he said.

Older people the pack in reported IC3 victims. There were 105,301 victims over 60 reported, with a total loss of just over $966 million. The next age range, 50-59, saw 85,967 victims and a near $848 million loss.

The FBI did not respond to SearchSecurity's request for comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Security operations and management