Grygo is the chief content officer for FTF & FTF News.
Sadly, ransomware is hitting its stride in 2021, and is showing no signs of slowing down.
While there have been multiple media reports about the rising threat of ransomware, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, recently provided proof that an increase is underway. The report, “Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021,” identifies ransomware patterns and more.
In fact, the FinCEN analysis has uncovered a sharp shift upward in ransomware-related Suspicious Activity Reports (SARs) filed during the first half of this year, and “indicates that ransomware is an increasing threat to the U.S. financial sector, businesses, and the public.”
The SARs related to ransomware “filed monthly has grown rapidly, with 635 SARs filed and 458 transactions reported between 1 January 2021 and 30 June 2021 … up 30 percent from the total of 487 SARs filed for the entire 2020 calendar year,” according to the report.
As for dollar amounts, the “total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million),” according to the trend report.
The FinCEN analysis of ransomware-related SARs covers “average ransomware payment amounts, top ransomware variants, and insights from FinCEN’s blockchain analysis.”
Here are some highlights:
- The Average Monthly Suspicious Amount of Ransomware Transactions: “According to data generated from ransomware-related SARs, the mean average total monthly suspicious amount of ransomware transactions was $66.4 million, and the median average was $45 million;”
- The Top Ransomware Variants: “Ransomware actors develop their own versions of ransomware, known as ‘variants,’ and these versions are given new names based on a change to software or to denote a particular threat actor behind the malware. FinCEN identified 68 ransomware variants reported in SAR data for transactions during the review period. The most commonly reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos;”
- Bitcoin (BTC) and Blockchain Analysis: “FinCEN identified bitcoin (BTC) as the most common ransomware-related payment method in reported transactions … FinCEN identified and analyzed 177 unique convertible virtual currency (CVC) wallet addresses used for ransomware-related payments associated with the 10 most commonly reported ransomware variants in SARs during the review period. Based on blockchain analysis of identifiable transactions with the 177 CVC wallet addresses, FinCEN identified approximately $5.2 billion in outgoing BTC transactions potentially tied to ransomware payments;”
- Ransomware Money Laundering Typologies: “FinCEN identified several money laundering typologies common among ransomware variants in 2021 including threat actors increasingly requesting payments in Anonymity-enhanced Cryptocurrencies (AECs) and avoiding reusing wallet addresses, ‘chain hopping’ and cashing out at centralized exchanges and using mixing services and decentralized exchanges to convert proceeds.”
Beyond finding patterns, the FinCEN report offers ways to detect, mitigate, and report ransomware.
“SAR filing is required or appropriate when dealing with a ransomware incident, including ransomware related payments made by financial institutions that are victims of ransomware,” according to FinCEN. “Financial institutions may also file with FinCEN a report of any suspicious transaction it believes relates to the possible violation of any law or regulation but whose reporting is not required by 31 CFR Chapter X.
For early detection, FinCEN recommends the following:
- “Incorporate [indicators of compromises] IOCs from threat data sources into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity;”
- “Contact law enforcement immediately regarding any identified activity related to ransomware, and contact [the Office of Foreign Assets Control] OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus;”
- “Report suspicious activity to FinCEN, highlighting the presence of ‘Cyber Event Indicators.’ IOCs, such as suspicious email addresses, file names, hashes, domains, and IP addresses, can be provided in the SAR form. Information regarding ransomware variants, AECs requested for payment, or other information may also be useful to law enforcement and for trend analysis in addition to virtual currency addresses and transaction hashes associated with ransomware payments;”
- And “review financial red flag indicators of ransomware in the ‘Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments’ issued by FinCEN in October 2020.”
To report suspicious cyber activity, the trend report urges firms to
- Contact the Cybersecurity and Infrastructure Security Agency (CISA) at cisaservicedesk@cisa.dhs.gov or (888) 282-0870
- Contact the Federal Bureau of Investigation (FBI) through a local field office or FBI’s Cyber Division at CyWatch@fbi.gov or 855-292-3937
- Contact any U.S. Secret Service local field offices to report a crime;
- Contact OFAC at ofac_feedback@treasury.gov if there’s a “cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.
- And FinCEN has a resource page on advisories, at https://www.fincen.gov/resources/advisoriesbulletinsfact-sheets .
The full trend analysis can be found here: https://bit.ly/3vMvBd9
(Check out the FTF webinar series: “Ransomware on Wall Street & Beyond” which is now available on-demand.
Click here to access all webinar discussions: https://bit.ly/3AyzZNF )
