FBI Ransomware Reporting: IC3 and Law Enforcement Coordination

The FBI's Internet Crime Complaint Center (IC3) serves as the primary federal intake channel for ransomware incident reports in the United States, functioning within a broader law enforcement ecosystem that includes the FBI's Cyber Division, CISA, and the Department of Justice's National Security Division. Reporting a ransomware incident to federal authorities initiates a structured coordination process with consequences for both the investigation and the victim organization's legal posture. This page describes the IC3 reporting structure, the multi-agency coordination framework, the scenarios in which reporting is mandatory versus voluntary, and the boundaries that distinguish federal from state-level law enforcement involvement.

Definition and scope

IC3 is the FBI's centralized cybercrime reporting portal, established in 2000 as a joint project between the FBI and the National White Collar Crime Center (NW3C). For ransomware incidents specifically, IC3 functions as both a complaint intake system and an intelligence aggregation platform. Reports filed through IC3 feed into the FBI Cyber Division's threat analysis pipeline and contribute to published annual reporting, including the IC3 Internet Crime Report, which documented 2,825 ransomware complaints in 2023 — a figure the FBI explicitly acknowledges as an undercount given the systemic underreporting prevalent across private-sector victims.

The FBI's jurisdiction over ransomware derives from the Computer Fraud and Abuse Act (18 U.S.C. § 1030), which criminalizes unauthorized access to protected computer systems, and from federal extortion statutes under 18 U.S.C. § 875. The Stop Ransomware initiative, a joint federal program coordinated between the FBI, CISA, and the Secret Service, consolidates reporting guidance under a single interagency framework. IC3 operates as the public-facing submission gateway within that structure.

Reporting to IC3 is separate from — and does not substitute for — sector-specific regulatory notification obligations. Healthcare entities covered by HIPAA must notify the Department of Health and Human Services (HHS Breach Notification Rule, 45 C.F.R. §§ 164.400–414) within 60 days of discovery, independent of any FBI reporting. Financial institutions subject to the Gramm-Leach-Bliley Act and FTC Safeguards Rule carry parallel obligations to the FTC. Federal contractors may face additional disclosure requirements under DFARS clause 252.204-7012.

For organizations navigating the broader landscape of ransomware resources and service providers, the ransomware providers page catalogs sector-relevant firms and services.

How it works

The IC3 reporting and law enforcement coordination process unfolds across five discrete phases:

1. Initial submission via IC3.gov. The victim or authorized representative submits a complaint at IC3.gov, providing incident details including attack vector (where known), ransomware variant, cryptocurrency wallet addresses or ransom note content, affected systems, and any communication received from the threat actor. IC3 assigns a complaint reference number at submission.

2. Triage and routing. IC3 analysts triage the submission and route it to the appropriate FBI field office based on the victim's geographic location. The FBI field office assumes primary case coordination responsibility. For incidents involving critical infrastructure — as designated under CISA's 16 critical infrastructure sectors — parallel notification to CISA is standard protocol.

3. FBI field office engagement. The relevant FBI Cyber Task Force contacts the victim organization to gather technical artifacts: ransom notes, encryption file extensions, malware samples, network logs, and cryptocurrency transaction records. This forensic intake informs both the active investigation and the FBI's broader threat intelligence database, which tracks known ransomware-as-a-service (RaaS) groups and their tooling signatures.

4. Interagency coordination. High-impact incidents — particularly those affecting hospitals, water systems, financial networks, or government entities — trigger coordination with CISA's Cybersecurity Division and, where relevant, the Secret Service Electronic Crimes Task Force. The DOJ's Computer Crime and Intellectual Property Section (CCIPS) becomes involved when prosecution pathways are pursued. Treasury's Office of Foreign Assets Control (OFAC) is engaged when ransom payment to a sanctioned entity is at risk; OFAC's ransomware advisory framework imposes strict liability for payments to designated groups regardless of the victim's knowledge of the sanctioned status.

5. Decryption key retrieval and threat actor attribution. In cases where FBI investigation yields access to threat actor infrastructure — as occurred in the 2021 Colonial Pipeline attack, where DOJ recovered approximately $2.3 million in cryptocurrency (DOJ Press Release, June 7, 2021) — victims may receive decryption keys or partial fund recovery. Attribution findings feed into indictments, sanctions designations, and published joint cybersecurity advisories.

Common scenarios

Critical infrastructure attacks. Ransomware incidents targeting hospitals, energy utilities, water treatment facilities, or financial market infrastructure receive elevated federal attention. Under Presidential Policy Directive 21 (PPD-21) and subsequent executive orders, FBI and CISA treat these sectors as priority response categories. Victims in these sectors who engage the ransomware provider network purpose and scope framework alongside federal reporting gain access to consolidated resource pathways.

RaaS affiliate incidents. Ransomware-as-a-Service operations — in which a core developer group licenses malware to affiliate attackers — present a distributed attribution challenge for law enforcement. The FBI tracks RaaS ecosystems by variant name (LockBit, BlackCat/ALPHV, Cl0p) and maintains IOC (indicator of compromise) libraries shared through the CISA Known Exploited Vulnerabilities catalog and FBI's InfraGard platform. IC3 complaints that identify RaaS-specific ransom notes or wallet infrastructure contribute directly to this tracking effort.

Small and mid-size business incidents. Smaller organizations frequently assume federal reporting applies only to large enterprises or critical infrastructure. IC3 accepts complaints from organizations of any size. The FBI's Cyber Division maintains regional outreach through 56 field offices, each with dedicated cyber agents who engage small-business victims. The Internet Crime Complaint Center processed 880,418 total cybercrime complaints in 2023 (IC3 2023 Internet Crime Report), reflecting broad intake across victim types.

Pre-payment OFAC consultation. When a victim organization receives a ransom demand and identifies the threat actor group as potentially sanctioned — or when a third-party incident response firm advises on sanction risk — the standard protocol involves consulting OFAC's Specially Designated Nationals (SDN) list before any payment is authorized. OFAC's Updated Ransomware Advisory (September 2021) outlines how voluntary self-disclosure to law enforcement prior to payment is treated as a significant mitigating factor in enforcement determinations.

Decision boundaries

Mandatory versus voluntary federal reporting. For most private-sector ransomware victims, IC3 reporting remains voluntary under current federal law. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), administered by CISA, will impose mandatory reporting timelines for covered entities once its implementing rules are finalized — requiring ransomware payments to be reported within 24 hours and covered cyber incidents within 72 hours (CISA CIRCIA page). Until those rules take effect, CISA and FBI reporting is encouraged but not compelled for most private-sector actors.

FBI versus state law enforcement jurisdiction. The FBI holds primary jurisdiction over interstate and international ransomware operations under federal computer fraud statutes. State law enforcement — typically through state attorney general cybercrime units or state fusion centers — handles incidents where evidence, actors, and victim infrastructure are entirely intrastate, a rare configuration given how ransomware command-and-control infrastructure operates. In practice, the FBI coordinates with state-level agencies rather than competing with them, particularly through the National Cyber Investigative Joint Task Force (NCIJTF), which includes representation from 30 co-located agencies (FBI NCIJTF).

Reporting with versus without paying ransom. Organizations that pay a ransom and then report to IC3 face a different investigative trajectory than those who report before payment. Pre-payment engagement with the FBI creates the possibility — not a guarantee — of decryption assistance, intelligence sharing on the specific variant, or identification of sanctioned-entity risk. Post-payment reports primarily serve intelligence purposes. The how to use this ransomware resource page provides context on navigating professional services aligned with these scenarios.

IC3 complaint versus direct FBI engagement. An IC3 complaint is a public-facing intake form; direct FBI field office engagement is an active law enforcement relationship. Victims with time-sensitive incidents — active encryption, ongoing extortion, or threat actor communications — are advised by the FBI to contact the nearest field office directly in addition to filing an IC3 complaint. The FBI's field office locator is maintained at FBI.gov/contact-us/field-offices. IC3 submissions alone do not guarantee callback or active case assignment for lower-severity incidents.