4 reasons police struggle to measure the extent of ransomware

The statistical services of the Ministry of the Interior are publishing their first report on ransomware targeting companies and institutions on November 24, 2021. But weaknesses in the measurement of the phenomenon raise questions.

We keep repeating it, ransomware, these cyberattacks that take your data hostage, have been exploding around the world and in France since 2020. And the Ministry of the Interior has obviously struggled to follow the phenomenon. Its statistical service, Inter stats, published on November 24, 2021 a report on the ” Ransomware attacks on businesses and institutions “. A first.

It is a 9-page report where the organization describes the evolution of the threat with a lot of graphics. Between the lines, and sometimes explicitly, we see the difficulty that the Interior has in precisely measuring the increase in ransomware attacks.

1. A non-homogenized treatment between the police and the gendarmerie

Ransomware is not the preserve of the police or the gendarmerie. The action of the two forces of the Ministry of the Interior is condensed in this report, but statisticians point to problems of homogenization in the treatment of cyber attacks by ransomware.

This graph shows the evolution of procedures related to ransomware attacks // Source: Cyberwar screenshot

A full page of explanation is dedicated to ” Identify ransomware attacks in procedures “. Concretely, the authors explain their approach and its limit. This inventory of attacks may seem easy, but quite the contrary: ” In the databases of the police, there is a variable allowing to identify the modus operandi “ransomware » at the level of offenses. This variable is therefore directly exploited to identify procedures linked to ransomware attacks. The latter has no equivalent in the bases of the gendarmerie […]. »An absence of nomenclature which obliged here the authors of the report to analyze the text of the various procedures.

2. Descriptions missing in 83% of national police procedures

Even more worrying, ” the ways of operating concerning proceedings involving victims of legal persons of crimes and misdemeanors are lacking for 83% of the procedures of the national police and for 2% of the procedures of the gendarmerie. ” How can we explain the widespread absence of these essential details? ” In the national police, entering the text field of the procedure is not compulsory in the software for drafting procedures. This could therefore lead to an underestimation of the phenomenon. “

The ways in which hackers operate in this kind of business (not always claimed) are, however, the main clues that make it possible to attribute and then track down cybercriminal groups. A situation which questions more broadly the ability of the two houses to exchange effectively in these complex affairs.

3. Partial statistics, by definition

Like all other Home Office crime statistics, this report measures mischief through police activity. ” The data only describe what is known to the police and gendarmerie services. The victims do
not filing a complaint with the security forces following a ransomware attack are therefore not counted. », Recognizes the text.

A statistical bias which forces us to take a certain distance from the representativeness of the figures. The establishment of RGPD, the awareness of organizations to these threats and the media coverage of the phenomenon are doing their part in changing practices, but many structures still prefer to hide that they are victims of a cyberattack such as ransomware. For fear of legal and media consequences, or simply because they prefer to pay the ransom demanded by cybercriminals and hope to find their data.

4. A national centralization of investigations which sows the seeds of uncertainty

Another, more surprising problem, pointed out by Inter stat, stems from the centralization of surveys. These technical procedures require specialized investigators, from units such as the BL2C for the national police or the C3N for the gendarmerie. Groups that often participate in the outbursts led by international coalitions. They have specific skills and centralize files by type of ransomware.

But the report reveals that “ these procedures transferred from the original complaints are outside the scope of the study “, Apart from partial detection in certain cases, through administrative hacks. A somewhat disconcerting observation, especially when ” out of all the procedures (of the study, editor’s note) related to ransomware, only 0.3% have at least one registered suspect ”. So many weaknesses that question the relevance of this attempt at a statistical inventory, which is still partial.

Leave a Comment