FBI Ransomware Reporting: IC3 and Law Enforcement Coordination

The FBI operates two primary channels through which ransomware incidents enter the federal law enforcement ecosystem: the Internet Crime Complaint Center (IC3) and direct engagement with FBI field offices. This page describes how those reporting mechanisms are structured, what happens after a report is filed, how the FBI coordinates with partner agencies like CISA and the Secret Service, and where reporting obligations intersect with the broader landscape of ransomware reporting requirements across US jurisdictions.

Definition and scope

FBI ransomware reporting encompasses the formal and informal processes by which victims — organizations and individuals alike — submit incident information to federal law enforcement, triggering investigative, intelligence, and victim assistance workflows. The FBI's Internet Crime Complaint Center (IC3) serves as the centralized intake portal for cybercrime complaints nationwide, including ransomware. The IC3 is a partnership between the FBI and the National White Collar Crime Center (NW3C), authorized under the Homeland Security Act and related cybercrime statutes including the Computer Fraud and Abuse Act (18 U.S.C. § 1030).

In its 2023 Internet Crime Report, the IC3 recorded 2,825 ransomware complaints, with adjusted losses exceeding $59.6 million — figures the FBI explicitly acknowledges represent only a fraction of actual incident volume, given persistent underreporting across the private sector. The full scope of ransomware activity intersects with sector-specific threat patterns, including healthcare, finance, manufacturing, and government.

The FBI's reporting framework is not a single static form. It is a multi-layer infrastructure that includes IC3 intake, field office engagement, and interagency coordination under the Joint Ransomware Task Force (JRTF), established formally in 2022 through the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

How it works

FBI ransomware reporting follows a structured intake-to-investigation pipeline. The discrete phases operate as follows:

  1. Initial complaint submission via IC3.gov — Victims submit incident details through the IC3 web portal. Required fields include the date of the attack, ransomware variant (if identified), ransom demand amount, payment status, and the nature of systems affected. The IC3 accepts reports from both individuals and organizations.

  2. Complaint processing and triage — IC3 analysts review submissions and classify them by threat type, sector, and potential impact. Complaints meeting defined severity thresholds — such as critical infrastructure involvement or demands above a specified dollar value — are escalated to the FBI's Cyber Division or relevant field office.

  3. Field office engagement — The FBI operates 56 field offices across the United States. Victims with active incidents are encouraged to contact their regional field office directly in parallel with IC3 filing. Field agents can deploy Victim Specialists and provide technical assistance during active incidents, including coordination with the FBI's Cyber Action Team (CAT).

  4. CISA notification loop — Under the CISA StopRansomware framework, the FBI and CISA maintain parallel reporting intake. Reporting to the FBI does not automatically satisfy CISA reporting obligations, and vice versa. Organizations with critical infrastructure designations under the 16 sectors identified by Presidential Policy Directive 21 (PPD-21) should file with both agencies.

  5. Intelligence integration — Data from IC3 complaints feeds into the FBI's threat intelligence cycle. Complaint data is aggregated to identify emerging ransomware variants, threat actor patterns, and geographic targeting trends. The FBI publishes Flash Alerts when actionable threat intelligence emerges from complaint data.

  6. Sanctions coordination — Where ransom payment is under consideration, the FBI coordinates with the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), which maintains a Specially Designated Nationals (SDN) list relevant to ransomware payment legality. Payments to sanctioned entities carry civil penalties regardless of victim knowledge.

The full structure of the FBI's response framework connects directly to the ransomware incident response lifecycle, which spans from initial detection through forensic analysis and potential prosecution.

Common scenarios

Healthcare sector incidents — Hospitals and health systems filing with the IC3 under HIPAA-breach conditions face overlapping reporting obligations. The Department of Health and Human Services (HHS) Office for Civil Rights operates a separate breach notification portal; IC3 filing does not fulfill that requirement. HIPAA mandates notification to HHS within 60 days of discovery of a breach affecting 500 or more individuals (45 CFR § 164.408).

Ransomware-as-a-service (RaaS) incidents — When a ransomware-as-a-service affiliate is the threat actor, the FBI uses IC3 data to map affiliate activity back to core operators — a key investigative challenge given the decentralized nature of RaaS infrastructure. Victims reporting promptly with detailed technical indicators (file hashes, ransom note contents, cryptocurrency wallet addresses) materially support these investigations.

Supply chain compromise — Where ransomware propagates through a managed service provider or software supply chain, the FBI may treat the incident as a multi-victim case. Supply chain ransomware attacks often involve simultaneous IC3 filings from dozens of downstream organizations, requiring coordinated case management across field offices.

State and local government targets — Municipal governments, school districts, and county agencies are frequent targets. These entities typically lack internal incident response capacity and rely on FBI field office engagement more heavily than enterprise victims. The FBI's Internet Crime Complaint Center tracks this sector separately under its government victim classification.

Decision boundaries

The decision to report — and through which channel — is governed by several intersecting factors:

IC3 vs. direct field office contact: IC3 is appropriate for post-incident documentation. Direct field office contact is appropriate for active incidents where law enforcement assistance, technical support, or real-time intelligence is needed. Both channels are non-exclusive and should typically be used in parallel.

FBI reporting vs. CISA reporting: CISA operates the 24/7 reporting line (1-888-282-0870) and an online form at cisa.gov/report. CISA's mandate centers on critical infrastructure protection and vulnerability disclosure; FBI's mandate centers on criminal investigation and prosecution. CIRCIA — when its final reporting rules take effect — will create mandatory 72-hour reporting obligations for covered entities, distinct from IC3 voluntary filing. Full CIRCIA rulemaking remained in progress as of the CISA CIRCIA rulemaking docket.

Voluntary vs. mandatory reporting: IC3 filing is currently voluntary for most private sector entities. The distinction between voluntary and mandatory reporting obligations varies by sector — HIPAA ransomware compliance imposes affirmative notification duties independent of law enforcement reporting. Financial sector entities face additional obligations under the Gramm-Leach-Bliley Act and FTC Safeguards Rule.

Payment decision reporting: If a ransom payment is made, OFAC guidance published in the Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (September 2021) identifies voluntary self-disclosure to OFAC as a mitigating factor in civil enforcement actions. This creates a distinct reporting pathway that intersects with — but operates independently from — IC3 filing.

The FBI explicitly states in its ransomware guidance that reporting even failed or resolved attacks provides intelligence value. Historical complaint data supports attribution analysis, decryptor development coordination, and court-admissible evidence chains in federal prosecutions under 18 U.S.C. § 1030.

References

📜 6 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator