The FBI's Internet Crime Complaint Center (IC3) has issued its 28-page 2016 Internet Crime Report, detailing $1.33 billion in victim losses from a total of 298,728 complaints during the year.
Multiple forms of online attacks, including business email compromise (BEC), tech support fraud and various payment scams, were reported to the IC3 in 2016. Surprisingly ransomware, which has been cited as a growing trend in multiple security vendor reports, was not found to be a major factor in the IC3's 2016 report.
The top source of fraud by financial loss that was reported to the IC3 in 2016 was BEC. Also known as email account compromise (EAC), BEC is a type of scam where an attacker uses phishing email to trick a company into paying fraudulent invoices and accounts payable requests. Over the course of 2016, the IC3 received 12,005 BEC/EAC complaints, resulting in losses of more than $360 million.
Earlier this year, the IC3 reported that from October 2013 until June 2016, BEC-related fraud losses were estimated at $5.3 billion. One of the largest single cases of BEC fraud was reported in March, with the U.S. Department of Justice (DOJ) charging a single individual in connection with a BEC scam that resulted in the theft of more than $100 million from a pair of U.S. corporations.
In contrast to the high volume of BEC incidents and losses, ransomware was not as widely reported or impactful in the IC3 report. The IC3 received just 2,673 ransomware complaints that resulted in victims losing approximately $2.4 million.
The FBI's data on ransomware stands in stark contrast with other security industry reports that have shown a broader impact. The 2017 Verizon Data Breach Investigations Report (DBIR) reported a 50 percent rise in ransomware in 2016. And in its first-quarter 2017 malware report, security firm Kaspersky Lab claimed that its technology was used to help block ransomware attacks against 240,799 users.
Symantec, in its Internet Security Threat Report (ISTR), which was released in April, said it detected 463,841 ransomware attacks in 2016, up from 240,665 in 2015. According to Symantec, the average ransomware payout was $294 in 2015 and grew to $1,077 in 2016. A November 2016 study from security firm SentinelOne reported that 50 percent of organizations have responded to a ransomware campaign.
More recently, the WannaCry ransomware attack in May impacted at least 200,000 victims across 150 countries, according to Europol.
So why is the FBI seeing relatively few reports of ransomware? There are several reasons.
Even in the case of WannaCry, which was widely reported, the financial impact to whom a ransom was demanded appears to be relatively muted. As of June 20, approximately $136,000 was paid in ransom to the Bitcoin wallets associated with WannaCry. That means that not every victim or organization that was impacted by WannaCry ended up paying a ransom. To be fair, even if a ransom isn't paid, there is likely a financial impact in terms of IT staff, downtime and recovery costs.
The simplest response to ransomware for organizations that are prepared is to recover encrypted data from a secured backup. It's likely that organizations impacted by ransomware but were able to successfully recover did not report every incident to the IC3.
The other likely factor in play is that not every organization will choose to report an incident to the FBI, whether they are able to recover from it or not. Another possibility is that security vendors are doing such a great job protecting organizations against ransomware that there isn't a reason to complain to the FBI. Whatever the case, the divergence between security vendor figures for ransomware and the FBI's statistics will be an interesting metric to track in the months and years to come.