Although 97% of organizations affected by ransomware report the attack, the level of involvement of law enforcement or official agencies varies considerably by country.
In the early years of ransomware, many (if not most) victims were reluctant to publicly admit that they had been attacked for fear of compounding the business impact of the attack.
Concern about negative press and loss of customers led many organizations to remain silent.
More recently, the situation has changed and ransomware victims are increasingly willing to recognize an attack. This evolution is likely due in part to the normalization of ransomware: our (fully anonymous) reports on the state of ransomware have revealed attack rates of over 50% over the past three years, and public recognition of an attack by from well-known brands is common. In short, suffering from a ransomware attack is no longer perceived as an automatic shame.
Increased mandatory reporting of attacks in many countries is also likely driving greater disclosure, particularly in the public sector, which is most affected by these regulations and requirements.
Although there has been a general sense that reporting has increased, detailed information and regional comparisons have been difficult to obtain, until now. This year's Sophos State of Ransomware survey sheds light on this, revealing for the first time how reporting levels and official responses vary across the 14 countries studied.
Reporting a ransomware attack is good for everyone
The nature and availability of official support for a ransomware attack varies from country to country, as do the tools for reporting a cyberattack. US victims can turn to the Cybersecurity and Infrastructure Security Agency (CISA) , those in the UK can get advice from the National Cyber Security Center (NCSC) and Australian organizations can turn to the Australian Cyber Security Center (ACSC) , for example. name just a few.
Reporting an attack has benefits for both the victim and the official organizations that seek to support them:
Immediate remediation support – Often, governments and other official bodies can provide expertise and guidance to help victims remediate the attack and minimize its impact.
Policy Guidance – Protecting businesses from cybercrime, including ransomware, is a top goal for many governments around the world. The more knowledge officials have about the attacks and their impact, the better they will be able to guide policies and initiatives.
Enable attacker dismantling : Timely sharing of attack details helps national and international efforts to dismantle criminal gangs, such as February 2024's Operation Lockbit.
Taking these advantages into account, the survey's conclusions are encouraging.
Conclusion 1: Most ransomware attacks are reported
Worldwide, 97% of ransomware victims in the last year reported the attack to law enforcement or official agencies. Notification rates are high in all countries surveyed, with only ten percentage points between the lowest rate (90% – Australia) and the highest (100% – Switzerland), being 99% in Spain.
The results reveal that although annual revenue and number of employees have little impact on the propensity to report an attack, there are some variations by sector. In sectors with high percentages of public sector organizations, almost all attacks are reported:
100% state and local administration (n=93)
6% healthcare (n=271)
5% education (n=387)
4% central/federal government (n=175)
Distribution and transportation have the lowest reporting rate (85%, n=149), followed by IT, technology and telecommunications (92%, n=143).
Conclusion 2: Security forces almost always help
For organizations that report the attack, the good news is that law enforcement or official agencies almost always intervene. Overall, only 1% of the 2,974 victims surveyed said they did not receive help despite reporting the attack.
Conclusion 3: Support for ransomware victims varies by country
Respondents who reported the attack received support in three main ways:
Advice to deal with the attack (61% on average, 55% in Spain)
Help investigate the attack (60% of average, 57% in Spain)
Help to recover data encrypted in the attack (40% of all victims and 58% of those who had encrypted data and 51% in Spain)
Digging a little deeper, we see that the exact nature of law enforcement or official agency involvement varies depending on the organization's headquarters. Although more than half of victims received advice on how to cope with the attack in all countries surveyed, organizations in India (71%) and Singapore (69%) reported the highest level of support in this area.
Indian respondents also reported the highest level of support for investigating the attack (70%), followed by those in South Africa (68%), while the lowest was in Germany (51%).
Among those with encrypted data, more than half globally (58%) received support to recover it. India continues to top the table, with 71% of those with encrypted data receiving help recovering it. It is worth noting that the countries with the lowest propensity for victims to receive help to recover encrypted data are all European: Switzerland (45%), France (49%), Italy (53%) and Germany (55%).
Conclusion 4: In general, it is easy to collaborate with security forces
Encouragingly, more than half (59% on average, 53% in Spain) of those who contacted law enforcement or official agencies regarding the incident said the process was easy (23% very easy , 36% somewhat easy). Only 10% (13% in Spain) said that the process was very difficult, while 31% described it as somewhat difficult, in Spain this percentage was slightly higher at 34%.
The ease of help also varies by country. Respondents in Japan were most likely to find reporting difficult (60%), followed by those in Austria (52%). Japanese respondents were also the most likely to consider it “very difficult” to report the incident (23%). In contrast, respondents from Brazil (75%) and Singapore (74%) were the most likely to find engagement easy, while Italian organizations had the highest percentage finding it “very easy” (32%).
Conclusion 5: There are countless reasons attacks go unreported
There were a number of reasons why 3% (86 respondents) did not report the attack, with the two most common being concerns that it would have a negative impact on their organization, such as fines, fees or extra work (27%), and because they didn't believe there was any benefit to them (also 27%). Several respondents answered verbatim that they did not turn to official agencies because they could resolve the problem internally.
