#Privacy: FBI warns US organisations not to pay ransomware demands

The US Federal Bureau of Investigation (FBI) has issued a public service announcement informing organisations about high-impact ransomware attacks. 

The announcement explains that ransomware attacks are becoming more targeted and sophisticated, and the losses of ransomware attacks have significantly increased, according to complaints received by IC3 and FBI case information. 

Ransomware attacks are now targeting healthcare organisations, industrial companies, state and local governments, and the transportation sector. 

Threat actors are utilising numerous techniques to infect victims with ransomware including; Remote Desktop Protocol (RDP) vulnerabilities, software vulnerabilities and email phishing campaigns. 

In the announcement, the FBI advises organisations not to pay the ransom, as it does not guarantee an organisation will regain access to its data. Additionally, victims may not be able to recover some or all of their data due to flaws in the encryption algorithms of certain malware variants. 

“Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers,” says the FBI in the announcement. 

The FBI urges organisations to report ransomware attacks to law enforcement, which by doing so investigators are provided with the critical information to track the attackers, and thus hold them accountable under US law. 

“As ransomware techniques and malware continue to evolve and become more sophisticated, even the most robust prevention controls are no guarantee against exploitation. This makes contingency and remediation planning crucial to business recovery and continuity. 

“Those plans should be tested regularly to ensure the integrity of sensitive data in the event of a compromise.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/