Imagine the following: After being hit by the WannaCry Malware, Anywhere Utility Co activates its Cyber Security response protocol. This starts with convening the utility's top IT experts to try to retrieve their locked data. Calls from annoyed customers are piling up as billing systems are down. Pretty quickly, the investor-owned utility moves on to its Plan B -- bringing in an experienced consulting firm which advertises high success rates in reversing encryption. Hundreds of thousands of dollars later, the Utility's computers are completely wiped. Administrative systems remain down across the utility disallowing people to pay their bills and causing power to be cut off for some users as the lengthy process of installing backup systems commences.
This scenario is becoming increasingly common - with one nuance. Most companies - public and private - would need to decide almost immediately whether, or not, to contact the FBI. Even when entire systems are compromised, the answer to this question is not always yes. The decision to contact the FBI can depend on the available expertise inside the utility, the availability of funding for private consulting advice, or perhaps concerns about the company's reputation if word gets out they have been attacked. There is also some uncertainty about what the FBI is likely to do when they arrive.
Indeed, we have heard infrastructure managers express contrary assumptions about what the FBI will and won't do. One view is that the FBI will take a firm stand against paying ransom - regardless of how much is demanded or what costs the attack has already caused.. According to one media outlet, Security Ledger, the "FBI's Advice on Ransomware? Just Pay the Ransom." This headline was derived from a conference at which FBI Special Agent Joseph Bonavolonta was quoted as saying, "The ransomware is that good. To be honest, we often advise people just to pay the ransom."1 From a Business Insider article covering the same event, "If a hacker hijacks your computer with malware and holds your data for ransom, it's probably best to just pay up, at least that's the latest advice the FBI is giving out concerning ransomware."2
A Forbes headline suggests: "When Attacked by Ransomware, The FBI Says You Shouldn't Pay Up," which tracks with what the FBI's Will Bales is quoted as saying; "People have to remember that ransomware does not affect just one person or one business. It will more than likely move on and affect somebody else. And for those who pay the ransom, it only encourages them to extort the next person."
Another concern is whether the FBI will immediately take over a company's machines if they have been attacked. Companies are scared of losing control over what happens next. To find out more about the FBI's policies and practices, our team will dig into the statements available from the FBI's Internet Crime Complaint Center (IC3) site and sit down with key officials in the agency's Cyber Crime Division .We want to hear for ourselves how the FBI operates when it is called in during or after a malware attack and will report back in Part II of this blog entry.
1 Laszka, Aron. On the Economics of Ransomware. July 2017