What is the Real Role and Advice from the FBI for Combating Ransomware? - Part Two

April 2, 2018


FBI Federal Bureau of Investigation

We had the opportunity to meet with agents from the Cyber Crime Division of the FBI to get a first-hand account of the FBI’s perspective on ransomware as well as their role in helping organizations. Our conversations, as well as what is reported on IC3 indicate that “the FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. On the other hand, while the FBI does not support paying ransom, it recognizes that executives, when faced with inoperability issues, will evaluate all their options to protect their shareholders, employees, and customers.”3 Additionally, according to our contacts within the agency, the FBI would never ‘take over’ a company’s computers or demand full control of a company’s machines. They would request answers to a series of questions as part of a standard information-gathering process they go through in deciding whether to elevate the incident to the DOJ/USAO for a determination on whether the attack is prosecutable. 

Specific information requested of the organization under attack would include: 

• Who is the POC at the company with access to the evidence and investigative products?

•Can the company grant access to network SMEs with knowledge of attack vector (schematic/architecture)?

• What was the timeline of events to investigate (i.e. a list of affected systems and when and how the system was identified as being compromised)?

• What evidence has been collected? 

• Which files are of interest (malware/ransomware affected – i.e. a list of accessed and/or stolen data? 

• What does the victim know about the attacker’s activity?

• Who were the victims and through which venues were they exploited? (Generally, access to individuals who have engaged with ransom message)

• What was the exact ransom message and any metadata associated with it?

• What is the company’s assessment of the financial impact: i.e. the impact of the ransomware now, what will it be if ransom is not met? Are all losses financial (money, physical, reputation)?

• Was there or will there be “exposure” of sensitive data?  Is there evidence data was “accessed”?  Is there evidence data was “stolen”?

The FBI stresses that victim reports are integral to providing law enforcement with a better understanding of the various future threats that are possible. And, these same reports can make it easier to predict what might happen or make prevention possible. Perhaps a clearer understanding of the information the FBI will be seeking will encourage infrastructure managers to meet with the FBI ahead of time. At the very least, infrastructure managers should be aware of who they should contact for help if there is an attack (N.B. this differs for public versus private organizations). They should also develop a relationship with the FBI prior to being attacked and get assurances regarding misplaced ‘takeover’ concerns or other worries

3 https://www.ic3.gov/media/2016/160915.aspx