- The Treasury Department found $590 million in ransomware-related activity in suspicious activity reports (SARs) in the first half of 2021, according to analysis by its Financial Crimes Enforcement Network (FinCEN). Last year, ransomware-related activity totaled $416 million.
- Between January and June, financial institutions filed 635 SARs (including 458 actual transactions that occurred during that period), up 30% from the 487 SARs filed for the entirety of last year.
- FinCEN found 177 unique convertible virtual currency (CVC) wallet addresses associated with the top 10 most common ransomware types by analyzing recent data, the report said. Of those CVC wallet addresses tied to the top types, FinCEN identified about $5.2 billion in outgoing bitcoin as potentially tied to ransomware payments. It also compared the recent findings to data gathered over the past decade to identify trends.
Cryptocurrency is not inherently dangerous, but it has proliferated largely without regulation and oversight. It gives bad actors anonymity to conduct their business primarily in ransomware.
Though bitcoin is the most common payment method for ransomware actors, FinCEN also found activity using Monero, or cases where a threat actor requested money in both bitcoin and Monero. In H1 2021, FinCEN found seven payments valued at about $34 million where bitcoin and Monero wallets were provided.
Bitcoin is often an integral part of the ransomware business, however, security experts say that even if crypto was regulated, cybercriminals would easily pivot to another tool. In the interim, the Treasury is using what regulations it has to deter ransomware-related activity in digital exchanges.
The financial sector is one of the most regulated industries, giving the Treasury primary authority over regulating ransomware payment activity. In the past 12 months, the department has threatened to fine companies that pay sanctioned ransomware actors, requested businesses report digital transactions exceeding $10,000 to the IRS, and sanctioned a cryptocurrency exchange platform.
U.S. persons are prohibited from engaging in transactions with individuals or entities on the Specially Designated Nationals and Blocked Persons List (SDN list), according to the advisory. Evil Corp., SamSam and the Lazarus Group were among the initial sanctioned actors identified by the Treasury's Office of Foreign Assets Control (OFAC), the October 2020 notice said. OFAC's overall SDN list has more than 9,000 names, or variations of them.
On Friday, OFAC also provided guidance for sanctions compliance related to virtual currencies. "As sanctioned persons and countries become more desperate for access to the U.S. financial system, it is vital that the virtual currency industry prioritize cybersecurity and implement effective sanctions compliance controls," the guidance said.
Officials found at least 68 ransomware types in SARs data, where the most common versions, or 'variants,' were REvil, Conti, DarkSide, Avaddon, Phobos. FinCEN tallied the ransomware-related activity to approximately $66.4 million in mean monthly totals, with the median average payment amount was $102,273.
While 90 SARs did not include the ransomware's name, some reports showed multiple variants in one filing. The top 10 ransomware variants collected a monthly median average of $27 million. FinCEN only identified the different ransomware types by numbers; Variant 1 was paid almost $12 million in June, followed by Variant 2's $8.5 million.
Because FinCEN officials didn't publicly identify the gangs associated with the top 10 variants, it left some security professionals second-guessing its effectiveness. "We shouldn't overlook that there is likely some intentional strategic messaging by the USG here: 'We can track your payments,'" Katie Nickels, director of intel at Red Canary, said in a tweet. "I understand not wanting to reveal too much, but I wonder if naming the variants (rather than redacting) could have more of an impact toward this goal."