An absurdly small number of companies affected by ransomware reported the incidents to the federal government last year, newly released FBI data shows.
While more than a third of all ransomware infections occurred in the U.S. last year, according to U.S. cybersecurity firm Symantec, the FBI’s Internet Crime Complaint Center (IC3) only “received 2,673 complaints identified as ransomware” in 2016 amounting to “losses of over $2.4 million,” according to a new report.
Current private sector estimates for total ransomware losses in 2016 alone exceeded $100 million, said Vincent Weafer, vice president of McAfee Labs, and that’s “likely on the conservative side.”
“One of the biggest problems with prosecuting ransomware is the recalcitrance of organizations and people in reporting they were hacked,” said John Bambenek, a threat intelligence manager with Fidelis Cybersecurity. “Companies in particular are paranoid to report they have been hit with ransomware.”
The fact that very few victims of ransomware are willing to proactively reach out to U.S. law enforcement is not especially surprising or a new problem for the FBI. But the discrepancy between the FBI’s visibility into this issue when compared with the cybersecurity industry’s understanding of it is noteworthy.
“While [a victim of ransomware] may keep the infection swept under the rug, we don’t have some of the most basic data to investigate and prosecute these crimes which perpetuates the entire system,” said Bambenek, who has worked with the FBI in the past.
Though the bureau’s figures may be low, global ransomware antivirus detections in fact rose by 36 percent year-over-year to approximately 1,270 detections per day in 2016, according to Symantec.
New ransomware families discovered more than tripled from 30 in 2015 to 101 in 2016.
A growth in the number of ransomware variants helps to underscore just how popular the scheme has recently become. In most cases, ransomware is spread through phishing emails, security experts say.
There may be an explanation for why the FBI’s figures appear to be off.
“Only an estimated 15 percent of the nation’s fraud victims report their crimes to law enforcement,”an FBI spokesperson said. “This 15 percent figure is just a subset of the victims worldwide.”
The IC3 acts as a central platform for internet users to report cybercrime-related activity to U.S. law enforcement.
The organization’s aforementioned report does not include direct, one-on-one interactions between the FBI and ransomware victims that privately communicated with, for example, an FBI field office — meaning that there are likely other victims, beyond the IC3’s purview, that the bureau knows about.