Towards the end of 2021—a year when ransomware attacks reached record highs—researchers at the Alliance for Securing Democracy investigated how local police are responding to the threat of ransomware. We sought to understand how cases are reported at the local level, what support is available to victims, and how the chain of custody for ransomware cases is structured. We called police information lines, or non-emergency numbers when unavailable, to ask for information on how best to respond to ransomware incidents. We inquired about what one should do in the event of a ransomware attack, where one should report the incident, and what law enforcement agency would handle a ransomware investigation. We called local police in the most populous city in all 50 states under the assumption that the state’s largest city would have access to the most resources and would likely have existing information sharing relationships with state and federal agencies. We found that as cybercrimes grow in complexity and scale, both local and federal law enforcement are struggling to evolve with them.
Taking Stock of Ransomware Responses
Our research indicates that most local agencies do not have a clear or codified response strategy to ransomware. Currently, the FBI’s guidelines for handling a ransomware incident are to not pay the ransom and to report the incident to IC3.gov or an FBI field office. Out of the 46 offices from which we were able to get information, 14 directed us to the FBI and five listed the IC3.gov resource. Of those 14 police operators, three were unsure of their answer or googled what the police response should be while we were on the phone. Thirteen responders did not know what ransomware was, asking us to define it or googling it themselves, and one officer said that ransomware was not a matter for law enforcement. Only two operators communicated the federal guideline to not pay the ransom, and two other operators provided us with clear and confident directions because they personally had experience dealing with ransomware. Several operators directed us to unhelpful resources such as the Apple store, Best Buy, or an internet provider. The most common response was to recommend that a victim report a ransomware attack to local police, without clarity as to who would ultimately follow up on it or carry out the investigation.
Overall, the responses seemed improvised and erratic. These results point to a lack of clarity and communication at higher levels of law enforcement as to who deals with ransomware and cybercrime more broadly. Responses are bound to remain inconsistent in the absence of direct guidelines for operators and officers. Without a clear chain of command for ransomware cases, both local law enforcement and victims are in the dark.
The question of which agencies should deal with cybercrime has plagued law enforcement for decades. Federal agencies bear the onus for ransomware responses, as local agencies lack the tools or jurisdictional authority to investigate these complex and often transnational crimes. However, in our current system, individual cybercrimes cases receive little federal attention. In a Washington Post op-ed, Texas cybercrime detective Nick Selby claimed that cybercrime is only deemed serious enough for over-burdened FBI investigators if it comes with a price tag of $200,000 or has garnered significant media attention. Many cases slip through this gap between federal and local capabilities. As ransomware attacks continue to surge, law enforcement at all levels must step up to the challenge to ensure that all victims receive support.
Recommendations for Reform
Local police agencies may lack the capacity to investigate and prosecute ransomware themselves, but they still have a vital role to play in ensuring that all victims receive support. We recommend a variety of initiatives to improve the local police response to ransomware.
Many local and state agencies have taken cybercrime response into their own hands by establishing cybercrime units or pursuing innovative initiatives to train police in responding to cybercrime. Such developments should be encouraged and expanded across the board. Cybercrime could be pursued by local and state agencies, instead of passing all cybercrime cases on to the FBI, which only depletes already limited federal resources. Creating more local cybercrime units eases the burden of overall cases on federal investigators and frees them up to address incidents like transnational ransomware cases.
Local police can also improve education and awareness of the ransomware threat by communicating best practices to counter-ransomware measures to their communities. However, creating awareness is not possible unless local police take it upon themselves to be educated about cybercrime. Agencies should provide regular updates to their staff to keep them informed of developments in cybercrime along with prevention strategies. Education about ransomware and other types of cybercrime will help officers know how to handle victims’ questions and prevent officers from giving poor advice. Such education can also help police maintain their own cybersecurity to prevent stations from being hacked by ransomware—a trend which is rising.
Crucially, federal law enforcement must establish a clear chain of command for ransomware cases—beginning with a victim’s call for help—and communicate that process to local police. Individuals and organizations targeted with ransomware are forced to make critical decisions under enormous stress. If local police fail to give accurate guidance to victims and are unaware of how cases should be handled, then victims will waste precious time seeking help and more cases will slip through the cracks.
2021 demonstrated the disturbing power of ransomware to paralyze critical infrastructure and extort individuals. Despite the growing nature of this threat, our conversations with police staff nationwide revealed an alarming lack of awareness and support for victims of ransomware. Ransomware is not merely a federal issue. Local police, as well as organizations and individuals, must accept responsibility for cybersecurity. Our response to cybercrime has for too long been reactive and disorganized. We need more understanding and resources at the local level to secure our digital infrastructure.