Ransom payments in the form of virtual currency have been increased exponentially. As per an analysis from the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN), around $5.2 billion worth of Bitcoin transactions are linked to the commonly known ransomware operators. In addition to Bitcoin, FinCEN also identified ransom payments requested in Monero.
The FinCEN analysis of ransomware-related suspicious activity reports (SARs) during the first half of 2021 revealed that ransomware is a significant threat to the U.S. financial sector, businesses, and the public.
“Ransomware actors are criminals who are enabled by gaps in compliance regimes across the global virtual currency ecosystem. Treasury is helping to stop ransomware attacks by making it difficult for criminals to profit from their crimes, but we need partners in the private sector to help prevent this illicit activity,” said Deputy Secretary of the Treasury Wally Adeyemo.
Top Ransomware Variants
While the analysis found over 68 ransomware variants reported in SAR data for transactions during the review period. The most-reported variants include:
- REvil or Sodinokibi
Rising Ransom Trend
In total, FinCEN observed $590 million in ransomware-related SARs, a 42% increase compared to a total of $416 million for all of 2020. It is suspected that the SARs data in 2021 are projected to have a higher ransomware-related transaction value than SARs filed in the previous ten years combined.
“This trend potentially reflects the increasing overall prevalence of ransomware-related incidents as well as improved detection and reporting of incidents by covered financial institutions, which may also be related to increased awareness of reporting obligations pertaining to ransomware and willingness to report,” FinCEN said.
FinCEN recommended certain actions in case of any suspicious ransomware activity. These include:
- Incorporate Cyber Event Indicators (IOCs) from threat data sources into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity.
- Contact law enforcement immediately regarding any identified activity related to ransomware, and contact OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned
- Report suspicious activity to FinCEN, highlighting the presence of IOCs, such as suspicious email addresses, file names, hashes, domains, and IP addresses, can be provided in the SAR form.