Industry Insights with Sally Adam

Fraud Management & Cybercrime , Ransomware

Law Enforcement's Role in Remediating Ransomware Attacks

Different Countries Have Different Levels of Law Enforcement Involvement
Law Enforcement's Role in Remediating Ransomware Attacks

In the early years of ransomware, many victims were reluctant to admit publicly that they had been hit for fear of negative press and customer attrition.

See Also: 5 Requirements for Modern DLP

More recently, ransomware victims are increasingly willing to acknowledge an attack. This is likely driven in part by the normalization of ransomware. Our State of Ransomware reports reveal attack rates above 50% for the last three years, and public acknowledgement of an attack by well-known brands is commonplace. Being hit by ransomware is no longer perceived to be shameful.

The increase in mandatory reporting of attacks in many jurisdictions is also likely driving greater disclosure.

Although there has been a general sense that reporting has increased, detailed insights and regional comparisons have been hard to come by - until now. Data from this year's Sophos State of Ransomware survey reveals how reporting levels and official responses vary across 14 countries.

Reporting a Ransomware Attack Is a Win-Win

The nature and availability of official support when dealing with a ransomware attack vary on a country-by-country basis.

Reporting an attack has the following benefits for the victim and the official bodies that support them:

  • Immediate remediation support: Governments and other official bodies can often provide expertise and guidance to help victims remediate the attack and minimize impact.
  • Policy guidance insights: Protecting businesses from cybercrime, including ransomware, is a major focus for many governments. The more insights officials have into attacks and their impact, the better they can guide policies and initiatives.
  • Attacker takedown enablement: Timely sharing of attack details assists global efforts to take down criminal gangs, such as LockBit in February 2024.

With these benefits in mind, the insights from the survey make encouraging reading.

Insight 1: Most Ransomware Attacks Are Reported

Globally, 97% of ransomware victims in the last year reported the attack to law enforcement and/or official bodies. Reporting rates are high across all countries, surveyed with just 10 percentage points between the lowest rate of 90% in Australia and the highest - 100% in Switzerland.

The findings reveal variations by industry. In sectors with high percentages of public sector organizations, almost all attacks are reported.

Image: Sophos

Insight 2: Law Enforcement Almost Always Assists

For organizations that report the attack, the good news is that law enforcement and/or official bodies almost always get involved. Overall, just 1% of the 2,974 victims surveyed said that they did not receive support despite reporting the attack.

Insight 3: Support for Ransomware Victims Varies by Country

Respondents that reported the attack received support in three main ways:

  1. Advice on dealing with the attack - 61%
  2. Help in investigating the attack - 60%
  3. Help in recovering data encrypted in the attack - 40% of all victims and 58% of those that had data encrypted

The exact nature of law enforcement and/or official body involvement varies according to the organization's location. While more than half of victims received advice on dealing with the attack across all countries surveyed, the highest levels of support in this area were 71% of organizations in India and 69% of organizations in Singapore.

Indian respondents reported the highest level of support in investigating the attack at 70%, followed by South African respondents at 68%. The lowest rate - 51% - was reported in Germany.

Image: Sophos

Among those that had data encrypted, more than half globally - 58% - received support in recovering their encrypted data. India continues to top the chart, with 71% of those that had data encrypted receiving assistance in recovering it. The countries with the lowest propensity for victims to receive help recovering encrypted data are all in Europe: Switzerland at 45%, France at 49%, Italy at 53% and Germany at 55%.

Image: Sophos

Insight 4: Engaging With Law Enforcement Is Generally Easy

More than half - 59% - of those that engaged with law enforcement and/or official bodies said the process was easy. Only 10% said the process was very difficult.

Image: Sophos

Ease of engagement also varies by country. Those in Japan were most likely to find reporting difficult - at 60%, followed by those in Austria at 52%. Japanese respondents also had the highest propensity to find it "very difficult" to report the attack - 23%. Conversely, 75% of respondents in Brazil and 74% in Singapore were most likely to find it easy to engage, while Italian organizations had the highest percentage that found it "very easy" at 32%.

Image: Sophos

Insight 5: Attacks Are Not Reported for a Number of Reasons

There were several reasons why 3% did not report the attack. The two most common reasons were: concern that reporting it would have a negative impact on their organization, such as fines, charges or extra work, at 27%, and the feeling that there would not be any benefit to them in reporting it, also at 27%. Several respondents said they did not engage official bodies as they could resolve the issue in-house.

Image: Sophos


The survey findings reveal that reporting ransomware attacks is common, and victims almost always receive support as a result. Hopefully, these findings will encourage any organization that does fall victim in the future to notify its relevant authorities.

About the Survey

The Sophos State of Ransomware 2024 report is based on the findings of an independent, vendor-agnostic survey commissioned by Sophos of 5,000 IT/cybersecurity leaders across 14 countries in the Americas, EMEA and Asia-Pacific. All respondents represent organizations with between 100 and 5,000 employees. The survey was conducted by research specialist Vanson Bourne in January and February 2024, and participants were asked to respond based on their experiences over the previous year.

About the Author

Sally Adam

Sally Adam

Senior Director, Marketing, Sophos

Adam is responsible for many of Sophos external research-based reports and educational resources. She has more than 15 years of experience in cybersecurity and combines deep knowledge of both adversary trends and Sophos technologies to help organizations optimize their protection.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.