Tim Manley didn’t even know who to call.
As the president of National Ink and Stitch, Manley had to figure out how to recover files that hackers had encrypted as part of a ransomware attack on the small screen-printing business. Malicious software called only “LockedIn” struck the Maryland company’s systems on Dec. 2, 2016, scrambling 16 years’ worth of the company’s intellectual property, like proprietary logos and designs.
So Manley paid the two bitcoin that extortionists had demanded to free his files. It totaled about $1,500. Instead of letting National Ink and Stitch get back to work, though, the hackers asked for more money. That’s when the company president filed a report with the local police department and spent $110,000 on an IT contractor that, to this day, hasn’t recovered all the locked files.
At the time, federal law enforcement wasn’t even on Manley’s list of potential allies. He didn’t alert the FBI to the breach until the IT contractor suggested it.
“I just wouldn’t even have thought to call the FBI,” he said during a recent interview. “It wasn’t at the front of my mind. I was just searching Google for a decrypter, and thinking about how to remedy this.”
More than three years after National Ink and Stitch was hit, it seems that many businesses throughout the U.S. are taking the same approach.
The FBI’s Internet Crime Complaint Center received 2,047 ransomware complaints from U.S. victims in 2019, resulting in adjusted losses of roughly $8.9 million. The most recent figures represent an uptick in reported attacks — 1,493 victims told the FBI about $3.6 million in losses in 2018 — yet still fail to account for the exponential growth in the number of incidents. Beazley, the London-based insurance firm, said last week that its clients reported 131% more ransomware attacks in 2019 than in 2018.
“There’s a percentage of ransomware attacks that go unreported, just generally, because there’s no legal federal requirement to report them,” said Katherine Keefe, global head of Beazley’s Breach Response Services. “There’s a lot more of this going on than the public is aware.”
Over the past year, the FBI has taken steps to change that.
Bureau officials have met with insurance firms in at least two small, informal meetings in New York City to discuss how law enforcement and insurers might collaborate to accelerate efforts to stop ransomware, according to three industry executives. The FBI also hosted a larger ransomware summit in September, when corporate executives were invited to “fill some of the gaps in the intel,” as Herb Stapleton, section chief in the FBI’s cyber division, described it.
The smaller meetings in New York have typically included around 10 insurance industry representatives and five bureau officials, according to one executive who attended the sessions. Conversations have focused on how insurers can help a hacked client restore normal business functionality, and perhaps provide the bureau with anonymized information that would help ransomware investigations.
“In the cyber division we have units specifically dedicated to private sector outreach…including the cyberinsurance industry,” Stapleton said last week. “It’s not a regularly scheduled engagement. One of the real opportunities for real cooperation, and the betterment of society against this threat, is for the FBI to provide cyberinsurers with some of the technological processes that we think would help combat the problem.”
Officials also have provided insurers with guidance on how to fend off emerging attack techniques, such as which software to update, and tried to assuage concerns that agents would try to prosecute insurance clients who elect to pay ransoms, according to one executive who attended the meetings.
“For a long time, there weren’t open lines of communication,” the executive said. “When I talk to victims of ransomware they’re concerned that they’re solving one problem only to create another by paying, and then going to jail themselves. But I do think it’s got to a point where it’s been productive.”
If victims aren’t reporting ransomware attacks to the FBI, then insurers might be the next best source of information. The industry’s longtime reliance on risk mitigation has informed firms’ approach to ransomware claims.
While techniques vary, insurers typically know the frequency of ransomware events, which businesses are most likely to be hacked, the size of the extortion demands and whether a specific gang is likely to negotiate. They also possess information on cryptocurrency wallets where scammers demand fees to be sent, and retain threat intelligence firms that track hackers’ histories.
“None of this was a thing years ago but as these crimes have popped up we’ve pushed the message to our policyholders that ‘We offer services to help you with this,’” said Beazley’s Katherine Keefe, who was not present at the meetings. “During that conversation, there will invariably be a conversation with a client about whether to report this to the FBI. We encourage that, but it’s not our call.”
Yet FBI agents may know more than the Internet Crime Complaint Center numbers would seem to indicate. Coveware, an incident response firm that insurers use to track ransomware groups, provides the bureau and other police organizations with quarterly reports of anonymized and aggregated data from its own negotiations with ransomware groups. The company uses its own software, and organizes relevant information in a database populated with data, like the time each negotiation takes.
Bill Siegel, Coveware’s CEO, says the goal is to help understaffed law enforcement agencies have a better idea of how hackers actually are going about their work.
“They’re looking to arrest people,” he said. “There isn’t a week that goes by when we don’t field requests from the FBI and [the Department of Homeland Security] and international law enforcement. It’s the right thing to do.”
Face-to-face meetings also serve another, less obvious purpose, Siegel said. It’s an opportunity for agents and industry practitioners to share information that might be too sensitive to discuss via email. In some cases, FBI agents and the contractors that work with insurers discuss the latest decryption tools.
“We know of a [ransomware] variant that the FBI can crack right now, and there’s other where a specialized security firm can [decrypt] it,” Siegel said. “So we know of a company that gets hit, sometimes it’s easier to go offline and talk about it[.]”
For National Ink and Stitch, though, the cooperation didn’t come soon enough. More than three years after Tim Manley used the FBI’s website to report the ransomware attack, he says hasn’t heard back from the bureau.
Meanwhile, the IT contractor Manley hired is still going through the encrypted files in an attempt to restore access to proprietary information. And in January, a Maryland federal judge had to force the company’s insurance firm to cover the costs of the attack after years of expensive litigation. (Court filings show that Manley’s company had sought $310,000 in damages. He declined to discuss the case.)
“We’re just a small business, and this still affects us to this day,” he said.
Asked if it was reassuring that the FBI might be able to respond to more attacks after working with the insurance industry, he added, “Not really…I’m pretty sure they will be overwhelmed and people like me won’t ever hear from them.”