The Role of Law Enforcement in Remediating Ransomware Attacks

May 20, 2024

In many cases in the past, fear of negative press and customer loss kept victims of ransomware attacks from making the attacks they suffered public. The main reason that trend has changed, and that reporting incidents has become more common, is the efficacy of law enforcement assistance in remediating a ransomware attack. Surveys of available data by Sophos have shone a light on the specific ways in which law enforcement has been of use. The Sophos state of ransomware survey shows that 59% of surveyed organizations were hit with ransomware attacks in the last year (down from 66% in 2022 and 2023), but 97% of afflicted organizations engaged with law enforcement due to the attack, up significantly from previous years. Of those organizations, 61% reported receiving advice on dealing with the attack, 60% got help with investigations the attack, and 40% reported receiving help with attack recovery. When asked about ease of engagement, more than half reported that the process of engaging with law enforcement was at least somewhat easy.

The 3% of respondents who did not report their attack to law enforcement gave a variety of reasons for their decision. The most common reasons given were that they believed it would have a negative effect on their organization, such as fines, charges, or extra work, or that they believed there would be no benefit to reporting the attack to law enforcement. Others reported that they were warned by attackers not to engage with law enforcement, or that they did not think law enforcement would be interested in engaging with them.

Incidentally, a very encouraging sign from this survey is that 98% of respondents who experienced data encryption were able to retrieve their data. 68% of those respondents were able to use backups to restore their data, compared to 56% who paid the ransom to restore their data. 47% of respondents reported using more than one method, including backups, payments, or other means, including working with law enforcement or using public decryption keys.

More from Blackwired

May 14, 2025

Using Blob URLs to Bypass SEGs and Evade Analysis

Hackers use Blob URIs to host phishing pages locally, bypassing detection and exfiltrating credentials undetected.

Read more
May 7, 2025

Claude AI Exploited to Operate 100+ Fake Political Personas in Global Influence Campaign

Claude AI was misused to run a propaganda network, showing new risks of AI in digital influence and fraud.

Read more
April 30, 2025

Ransomware groups test new business models to hit more victims, increase profits

Ransomware groups adapt with new models; DragonForce decentralizes tools, Anubis shifts to extortion over encryption.

Read more

© 2024 Blackwired. All Rights Reserved.