Content, Breach, Content

Ransomware Victims Paid $600 Million to Hackers in 1H of 2021

Ransomware victims coughed up nearly $600 million to cyber hijackers in the first six months of 2021, further stamping cyber extortionists as an “increasing threat” to the U.S. financial, business and public sectors, a recent report released by the Treasury Department said.

Data gathered by the Financial Crimes Enforcement Network (FinCEN) derived from financial institutions’ Suspicious Activity Reports (SARs) revealed that the 635 reports filed for the first six months of this year is already 30 percent greater than the 487 filed for all of last year. Some 458 financial transitions have been reported as of June 30, 2021 with the total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 amounting to $590 million, or 42 percent more than the $416 million filed for all of 2020.

This is how financially menacing is ransomware:

  • The total U.S. dollar value for ransomware-related transactions reported in SARs filed during the review period exceeds that of any previous year since 2011.
  • If current trends hold, SARs filed in 2021 are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined.

Three factors may be affecting the trend line:

  1. An increasing number of ransomware-related incidents.
  2. Improved detection and reporting by financial institutions.
  3. Increased awareness of reporting obligations and willingness to report.

“Ransomware actors are criminals who are enabled by gaps in compliance regimes across the global virtual currency ecosystem,” said Wally Adeyemo, Treasury Department deputy secretary. “Treasury is helping to stop ransomware attacks by making it difficult for criminals to profit from their crimes, but we need partners in the private sector to help prevent this illicit activity.”

The study's five key findings:

  • The mean average total monthly suspicious amount of ransomware transactions was $66.4 million and the median average was $45 million.
  • Bitcoin was the most common ransomware-related payment method in reported transactions.
  • 68 ransomware variants were reported in SARs data for transactions during the review period. The most commonly reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos.
  • 177 unique convertible virtual currency (CVC) wallet addresses were used for ransomware-related payments associated with the 10 most commonly reported ransomware variants in SARs during the review period. Of the 177 CVC wallet addresses there was approximately $5.2 billion in outgoing Bitcoin transactions potentially tied to ransomware payments.
  • Threat actors increasingly requesting payments in anonymity-enhanced cryptocurrencies (AECs) and avoiding reusing wallet addresses, “chain hopping” and cashing out at centralized exchanges, and using mixing services and decentralized exchanges to convert proceeds.

For perspective, from 1 January 2011 to 30 June 2021, the total data set consisted of 2,184 SARs reflecting $1.56 billion in suspicious activity filed.

FinCEN suggested four actions organizations can take to detect and mitigate threats:

  • Incorporate indicators of compromise (IOCs) from threat data sources into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity.
  • Contact law enforcement immediately regarding any identified activity related to ransomware, and contact the Office of Foreign Assets Control (OFAC) if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.
  • Report suspicious activity to FinCEN, highlighting the presence of “Cyber Event Indicators.” IOCs, such as suspicious email addresses, file names, hashes, domains, and IP addresses, can be provided in the SAR form. Information regarding ransomware variants, AECs requested for payment, or other information may also be useful to law enforcement and for trend analysis in addition to virtual currency addresses and transaction hashes associated with ransomware payments.
  • Review financial red flag indicators of ransomware in the “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” issued by FinCEN in October
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.