Despite being an expanding threat, ransomware infections are rarely reported to law enforcement agencies, according to conclusions from the 2016 Internet Crime Report, released yesterday by the FBI’s Internet Crime Complaint Center (IC3).
During 2016, FBI IC3 officials said they received only 2,673 complaints regarding ransomware incidents, which ranked ransomware as the 22nd most reported cyber-crime in the US, having caused just over $2.4 million in damages (ranked 25th).
The numbers are ridiculously small compared to what happens in the real world, where ransomware is one of today's most prevalent cyber-threats, according to multiple reports from cyber-security companies.
The only explanation is that people are paying ransoms, restoring from backups, or reinstalling PCs without filing a complaint with authorities.
In last year's IC3 Internet Crime Report, the FBI noted that ransomware incidents doubled from 2014 to 2015. In 2016, the number of ransomware complaints remained the same, despite cyber-security companies reporting an increase in activity.
The discrepancy between FBI and private sector reports is a big issue with authorities since they use these complaints to get an overall view of today's cyber-crime landscape.
This is also why in September 2016, the FBI's IC3 division issued a public statement announcement asking ransomware victims to come forward "to help us gain a more comprehensive view of the current threat and its impact on U.S. victims."
While the FBI has barely seen the needle move on ransomware complaints, it cannot be said the same for the private sector.
US cyber-security giant Symantec also reported a grim statistic, revealing that the number of new ransomware families tripled in 2016.
According to another report from Carbon Black, the number of ransomware infections grew by 50% compared to 2015, and ransomware operators were on track to make nearly $850 million from ransom payments, both numbers well above what the FBI saw from official complaints.
The future also looks bleek, as incident response firm Beazley predicts that ransomware incidents will continue to rise, expecting the numbers to double in 2017.
In recent months, some law enforcement agencies have started apprehending ransomware operators, but the number of arrests is extremely low compared to the threat's real size.
Without complaints from ransomware victims, law enforcement agencies around the globe can't initiate these investigations to catch ransomware operators [1, 2]. Taking into account that a third of ransomware victims are in the US, it's probably a good idea if US companies and individuals start filing a quick report with the FBI before remediating their infection.
Instructions on how someone can file such a complaint are available in the IC3's PSA from September 2016.