On October 2, the Federal Bureau of Investigation (FBI) issued a Public Service Announcement (PSA) on ransomware attacks that expands on, and in important respects diverges from, its longstanding guidance to victims of ransomware attacks. Since 2016, the FBI’s public guidance on ransomware attacks has been that it
does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.
The 2016 guidance also stated that it requested victims to contact their local FBI office and/or file a complaint with the Internet Crime Complaint Center, at http://www.IC3.gov, with certain ransomware infection details, and that it urged victims “to report ransomware incidents regardless of the outcome.”
The new PSA now states that the FBI “does not advocate paying a ransom” (rather than “does not support”), for the reasons stated above, and that “[r]egardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement.” (Emphasis supplied) The new language, without disavowing or replacing the 2016 guidance, subtly signals to ransomware victims that the FBI will not treat ransomware victims’ complaints less seriously if they choose to pay and then report to the FBI.
The new guidance is less clear on when the FBI would like victims to report (e.g., before or after they pay a ransom). Because it mentions in passing that reporting to law enforcement “provides investigators with the critical information they need to track ransomware attackers” (emphasis supplied), it should be construed to mean that the FBI would prefer victims to report before any payment. So long as the FBI can encourage more victims to do so, it improves the chances of its successfully investigating and apprehending the cyberextortionists responsible.