Ransomware 101 Part 4: How to Engage with Law Enforcement After an Attack

Publish Date




  • Cybersecurity
  • Cybersecurity Resources

One of the most important response actions you can take when a ransomware attack has occurred is to contact law enforcement as well as an external cyber forensics and incident response firm. Each can provide support in your recovery efforts, and the information you provide can help with ongoing ransomware investigation and prevention efforts. According to the FBI’s Internet Crime Report, the FBI helped recover approximately $380 million of $462 million (82%) in reported losses from cyber-attacks in 2020. 

Since our Ransomware 101 blog series was published, we have received many questions regarding what a firm’s relationship with law enforcement should look like. Part 4 of our series will discuss why and how your firm should contact law enforcement, including the FBI, after a ransomware attack has occurred. 

How can law enforcement agencies help with a ransomware attack?

While some firms may hesitate to disclose a ransomware attack due to concerns over reputational damage, contacting law enforcement and other relevant agencies can only help you in an investigation. The FBI can help investigate the attack using their cyber-forensic resources and information-sharing techniques. They will also try to help your firm recover from the attack. It is important to note that their priority will be to investigate the crime; however, their mission often aligns closely with your firm’s objectives of learning how an incident occurred and the possible recovery of stolen data. Your firm should also contact an external forensics and incident response team to help with both recovery and response.   

The FBI can also issue warrants to third parties, such as vendors who may have been impacted by the attack, to comply with data sharing that may help your firm understand how an attacker penetrated your system. This can help link the attack on your firm’s system to other similar attacks and potentially enable the FBI to trace the attack back to the intruder. 

The FBI and other relevant agencies perform two types of incident response: threat response and asset response. Threat response includes disrupting and intercepting malicious cyber actors. The FBI conducts a criminal investigation and determines whether the attack was an isolated incident. Asset response includes protecting assets and mitigating firm vulnerabilities. This helps to reduce the impact of an attack, aid in system and data recovery, and identify other information systems that could be impacted. The threat response is conducted by FBI field offices while asset response is conducted by the National Cybersecurity and Communications Integration Center (NCCIC).

How to report a ransomware attack 

Report the attack to the appropriate cyber law enforcement authorities as soon as you know you’ve been hit. A third-party expert can also help with your recovery efforts. 

  • Follow the breach notification obligations required by the appropriate authorities.  
    • In the United States (U.S.), appropriate authorities may include: 
    • In the European Union (E.U.), appropriate authorities may include: 
    • In the People’s Republic of China (PRC), appropriate authorities may include:
      • Cyberspace Administration of China (CAC) 
      • Relevant local government authorities 
  • Report the incident to law enforcement: 
    • In the U.S.: 
      • Contact your local FBI or USSS field office. 
      • The FBI also requests that you report the attack via the FBI Internet Crime Compliant Center
      • Sector-specific agencies within the federal government may also be able to help. 
      • If your firm is an InfraGard member, you can report a cyber-incident through InfraGard’s iGuardian portal.  
        • InfraGard connects members to training and education materials, networking opportunities, relationship building and information sharing with FBI, and real-time threat analysis. 
      • In the E.U.: 
        • Europol maintains a contact database that can help you report a cybercrime to the appropriate authorities 
      • In the PRC: 
        • Ministry of Public Security 
        • Internet Society of China 
  • The No More Ransom initiative may be able to help you recover your files, particularly if the attack uses weak encryption. 
  • Keep contact numbers for the FBI and other relevant agencies in your firm’s incident response plan.   
  • It is recommended that when reporting a cyberattack, the following information, at a minimum, is provided:  
    • Name of the impacted firm
    • Name and title of the person reporting the incident
    • Type of incident
    • How and when the incident was detected
    • Who has been notified
    • What response actions have already been taken   

Download the white paper

Click here to view The 2022 Ransomware White Paper

Read the series

Click here for Ransomware 101 Part 1: A Growing Threat to Financial Services Firms.

Click here for Ransomware 101 Part 2: How to Prevent and Detect a Ransomware Attack.

Click here for Ransomware 101 Part 3: How to Respond to a Ransomware Attack.

How we help

ACA Aponix® helps firms to stay on top of their cybersecurity programs. Contact us discuss how we can help assess and strengthen your current program to prevent ransomware attacks.

Contact us