The Financial Crimes Enforcement Network (FinCEN) released a financial trend analysis report in response to the increase in number and severity of ransomware attacks against US critical infrastructure since late 2020. For example, in May 2021, hackers used a ransomware attack to extort a multi-million dollar ransom, which also disrupted the Colonial Pipeline and caused gasoline shortages.
FinCEN analysis of ransomware-related SARs filed during the first half of 2021 indicates that ransomware is an increasing threat to the US financial sector, businesses, and the public. The number of ransomware-related SARs filed monthly has grown rapidly, with 635 SARs filed and 458 transactions reported between 1 January 2021 and 30 June 2021, up 30% from the total of 487 SARs filed for the entire 2020 calendar year. The total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million).
FinCEN’s analysis of ransomware-related SARs highlights average ransomware payment amounts, top ransomware variants, and insights from FinCEN’s blockchain analysis:
- Average Monthly Suspicious Amount of Ransomware Transactions: According to data generated from ransomware-related SARs, the mean average total monthly suspicious amount of ransomware transactions was $66.4 million and the median average was $45 million. FinCEN identified bitcoin (BTC) as the most common ransomware-related payment method in reported transactions.
- Top Ransomware Variants: Ransomware actors develop their own versions of ransomware, known as “variants,” and these versions are given new names based on a change to software or to denote a particular threat actor behind the malware. FinCEN identified 68 ransomware variants reported in SAR data for transactions during the review period. The most commonly reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos.
- Insights from Blockchain Analysis: FinCEN identified and analyzed 177 unique convertible virtual currency (CVC) wallet addresses used for ransomware-related payments associated with the 10 most commonly reported ransomware variants in SARs during the review period. Based on blockchain analysis of identifiable transactions with the 177 CVC wallet addresses, FinCEN identified approximately $5.2 billion in outgoing bitcoin transactions potentially tied to ransomware payments.
- FinCEN Identified Ransomware Money Laundering Typologies: FinCEN identified several money laundering typologies common among ransomware variants in 2021 including threat actors increasingly requesting payments in Anonymity-enhanced Cryptocurrencies (AECs) and avoiding reusing wallet addresses, “chain hopping” and cashing out at centralized exchanges, and using mixing services and decentralized exchanges to convert proceeds.