The FBI's Internet Crime Complaint Center (IC3) released its 2017 Internet Crime Report on May 8, revealing an increase in the volume of crimes reported but a decrease in the amount of financial loss.
The 29-page study reported that in 2017, the IC3 received a total of 301,580 complaints, up from 298,728 in 2016. Losses, however, went down, with 2017 losses reported at $1.42 billion, below the $1.45 billion reported in 2016.
"As the lead federal agency for investigating cyber-attacks by criminals, overseas adversaries, and terrorists, the FBI's IC3 provides the public with a trustworthy and convenient reporting mechanism to submit information concerning suspected Internet-facilitated criminal activity," Scott Smith, assistant director of Cyber Division at the FBI, stated. "As cyber criminals become more sophisticated in their efforts to target victims, we must continue to transform and develop in order to address the persistent and evolving cyber-threats we face."
The top complaint received by the IC3 in 2017 was from business email compromise (BEC) incidents, which has been a growing trend in recent years. BEC attacks occur when a hacker tricks an organization into paying a fraudulent invoice.
The IC3 reported that it received 15,690 BEC complaints in 2017, accounting for losses of $675 million, up from the 12,005 BEC complaints reported in 2016, which resulted in losses of more than $360 million. In contrast, in 2015, the IC3 reported that BEC losses for all of 2014 came in at $215 million.
While BEC attack volume and losses continue to rise, the same trend is not happening with ransomware. In 2017, the IC3 received 1,783 complaints related to ransomware attacks resulting in losses of $2.3 million. In 2016, the IC3 reported that it had received 2,673 ransomware complaints that resulted in victims losing approximately $2.4 million.
What is particularly noteworthy about the IC3's report of declining ransomware complaints in 2017 is that it was the same year in which two of the largest publicly reported ransomware campaigns occurred—WannaCry and then NotPetya. The IC3's data also stands in stark contrast with other industry reports, including Verizon's 2018 Data Breach Investigations Report (DBIR), which reported that ransomware attack volume doubled in 2017.
There are multiple reasons for the disparity in the ransomware figures reported by the IC3 and those coming from other sources. Michelle Alvarez, threat researcher at IBM X-Force, told eWEEK in April that organizations are not required to report ransomware and, as such, there isn't a running list of every ransomware attack and there isn't a per record tally like there are for breaches.
With ransomware, attackers offer victims the opportunity to get their data back if they pay the ransom, which might also be a reason why ransomware is underreported to the IC3, although the IC3 report emphasized that the FBI does not support paying a ransom.
"Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom," the IC3 report states. "Paying a ransom emboldens the adversary to target other organizations for profit, and provides for a lucrative environment for other criminals to become involved."
As the conflicting numbers show, it's not entirely clear if ransomware is getting worse or if it is getting better. What is clear though is that even though the IC3 numbers for ransomware declined for 2017, it's still an active attack vector. Other forms of crime—notably BEC attacks—however continue to rise and while ransomware remains a risk, organizations would be well-served to make sure they have the right technologies and processes in place to limit BEC risks.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.