The U.S. Treasury's Financial Crimes Enforcement Network observed more ransomware-related suspicious activity in the first half of 2021 than all of 2020, according to a new report.
The report, titled "Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021," covers ransomware trend data observed in reports made to the Treasury via the Bank Secrecy Act, a 1970 law that requires banks and other financial institutions to assist the government in preventing money laundering. The Financial Crimes Enforcement Network (FinCEN) report, published Friday, comes amid the U.S. government's initiative to more closely track and disrupt cryptocurrency activity among ransomware groups.
The information primarily comes from suspicious activity reports (SAR), reports filed with FinCEN when an institution's customer is suspected of committing financial fraud or laundering money, or if other relevant unusual activity is detected. Because of the nature of FinCEN's ransomware report, it shows a specific corner of ransomware rather than acting as a complete overview.
FinCEN has received more SARs in 2021's first six months -- Jan. 1 to Jun. 30 -- than all of 2020. The total value of said suspicious activity through June has also outpaced 2020.
"The number of ransomware-related SARs filed monthly has grown rapidly, with 635 SARs filed and 458 transactions reported between 1 January 2021 and 30 June 2021 ('the review period'), up 30 percent from the total of 487 SARs filed for the entire 2020 calendar year," the report read. "The total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million)."
As for methodology, the report said that "FinCEN reviewed and verified each SAR to remove any suspicious activity amount unrelated to ransomware and to extract relevant indicators of compromise (IOCs)."
The most common variants of ransomware observed by the bureau in the six-month period were REvil, Conti, DarkSide, Avaddon and Phobos, out of 68 total variants observed. The average total monthly value of ransomware related SARs is $66.4 million so far, with the median monthly average being $45 million; Bitcoin was the most common cryptocurrency observed.
The report also observed a rise in "anonymity enhanced cryptocurrency" like Monero, which is considered harder to track than Bitcoin. FinCEN also saw an increased prevalence of cryptocurrency mixers for laundering and threat actors changing cryptocurrency wallet addresses after attacks.
"After receiving illicit funds from a victim, ransomware actors layered funds through multiple wallet addresses and avoided reusing wallet addresses for each attack, according to SAR data," the report read. "Threat actors laundered the payments from each ransomware event separately, to minimize consolidation into single wallet addresses."
Emsisoft threat analyst Brett Callow said that the report was useful for identifying trends, as it shows where response efforts should be focused.
"Data relating to ransomware has invariably been very limited, primarily because so few victims choose to disclose or report incidents," he said. "How many incidents there are and how much those incidents cost has always been very hard to estimate. Any data that helps increase our visibility into the threat landscape is a good thing, even if it's not complete and gaps remain. If lawmakers have more insight, they can create better and more appropriate policy responses."
Gurvais Grigg, global public sector CTO at blockchain analysis vendor Chainalysis, said the government's focus on cryptocurrency transactions is a positive in the fight against ransomware.
"On the heels of Deputy Attorney General Lisa Monaco's announcement of a national cryptocurrency enforcement team earlier this month, OFAC's guidance and FinCEN's report further demonstrate the U.S. government's commitment to addressing the threat of ransomware," Grigg said. "One of the key challenges in fighting ransomware is a lack of reporting. Victims often quietly pay ransoms, which makes it difficult to scope the problem and dedicate appropriate resources. The work the Treasury Department has done to encourage reporting and releasing data on those reports raises awareness, encourages organizations to strengthen their cyber hygiene standards, and improves information sharing."
Alexander Culafi is a writer, journalist and podcaster based in Boston.