From attacking government institutions to using Bitcoin for money laundering, ransomware seems to be the preferred modus operandi for criminals.
The US Financial Crimes Enforcement Network (FinCEN) analysis of ransomware-related Suspicious activity Reports (SARs) filed during the first half of 2021 indicates that ransomware is an increasing threat to the US financial sector, businesses and the public. The total US dollar value for ransomware-related transactions reported in SARs filed during the review period exceeds that of any previous year since 2011.
In the first six months of 2021, FinCEN identified $590 million in ransomware-related SARs, a 42 per cent increase compared to a $416 million for all of 2020. If current trends continue, SARs filed in 2021 are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined, which would represent a continuing trend of substantial increases in reported year-over-year ransomware activity.
This trend potentially reflects the increasing overall prevalence of ransomware-related incidents as well as improved detection and reporting of incidents by covered financial institutions, which may also be related to increased awareness of reporting obligations pertaining to ransomware and willingness to report. The number of ransomware-related SARs filed monthly has grown rapidly, with 635 SARs filed and 458 transactions reported between 1 January 2021 and 30 June 2021, up 30 per cent from the total of 487 SARs filed for the entire 2020 calendar year.
The total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million). FinCEN’s analysis of ransomware-related SARs highlights average ransomware payment amounts, top ransomware variants, and insights from FinCEN’s blockchain analysis.
Average Monthly Suspicious Amount of Ransomware Transactions
According to data generated from ransomware-related SARs, the mean average total monthly suspicious amount of ransomware transactions was $66.4 million and the median average was $45 million. FinCEN identified bitcoin (BTC) as the most common ransomware-related payment method in reported transactions.
Top Ransomware Variants
Ransomware actors develop their own versions of ransomware, known as “variants,” and these versions are given new names based on a change to software or to denote a particular threat actor behind the malware. FinCEN identified 68 ransomware variants reported in SAR data for transactions during the review period. The most commonly reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos.
Insights from Blockchain Analysis
FinCEN identified and analyzed 177 unique convertible virtual currency (CVC) wallet addresses used for ransomware-related payments associated with the 10 most commonly reported ransomware variants in SARs during the review period. Based on blockchain analysis of identifiable transactions with the 177 CVC wallet addresses, FinCEN identified approximately $5.2 billion in outgoing BTC transactions potentially tied to ransomware payments.
Ransomware Money Laundering Typologies
FinCEN identified several money laundering typologies common among ransomware variants in 2021 including threat actors increasingly requesting payments in Anonymity-enhanced Cryptocurrencies (AECs) and avoiding reusing wallet addresses, “chain hopping” and cashing out at centralised exchanges, and using mixing services and decentralized exchanges to convert proceeds.