The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has identified $5.2 billion in outgoing Bitcoin transactions in cryptocurrency wallets linked to ransomware gangs, highlighting the extent to which ransomware is being used in attacks in the United States and how much money is being made by ransomware threat actors.
FinCEN analyzed 635 Suspicious Activity Reports (SARs) filed by financial institutions in the first half of 2021, and 458 transactions reported between January 1, 2021, and June 30, 2021. 30% more SARs were filed in the first half of 2021 than the total number of SARs from all of 2020, clearly demonstrating the extent of the increase in ransomware attacks this year. The SARs covered financial transactions totaling $590 million, which is a 42% increase from the $416 million total for all of 2020. In 1H 2021, the mean average total of monthly payments was $66.4 million and the median amount was $45 million.
If the ransomware payments continue at a similar rate during the second half of 2021, FinCEN expects the SARs filed in 2021 will have a higher ransomware-related transaction value than the SARs filed in the past 10 years combined.
FinCEN’s analysis identified 68 active ransomware variants over the review period, with the majority of the payments made to the REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos ransomware threat actors. Payments were made to 177 unique convertible virtual currency (CVC) wallet addresses associated with the 10 most commonly reported ransomware variants and FinCEN’s analysis identified $5.2 billion in outgoing BTC transactions linked to ransomware payments.
FinCEN did not provide the names of the 10 most common ransomware variants in terms of the number of attacks and transaction values but said variant 1 generated 64 U.S. ransom payments in the first 6 months of the year, with $30.7 million in cryptocurrency paid to the gang. Variant 3 had the highest dollar value of transactions, generating $75.8 million from 32 ransom payments. In total, 242 payments were made to the top 10 ransomware operations with a $152.5 million dollar value of transactions in the first 6 months of the year.
FinCEN identified several methods used by the ransomware gangs to launder their payments. It is now common for ransomware gangs to use Anonymity-enhanced Cryptocurrencies (AECs), for cryptocurrency wallets to be used only once, for “chain hopping” and cashing out at centralized exchanges, and using mixing services and decentralized exchanges to convert proceeds.
Several initiatives have been implemented by governments worldwide in an attempt to target ransomware gangs. FinCEN and the Treasury’s Office of Foreign Assets Control (OFAC) have issued advisories to promote the reporting of ransomware incidents to allow attacks to be tracked and law enforcement to pursue the attackers and their funds.
The U.S. Ransomware Disclosure Act has recently been introduced which, if passed, will make it mandatory for ransomware victims (except individuals) to report any ransom payments to the Department of Homeland Security (DHS) within 48 hours. This will ensure the DHS is provided with the data it needs to investigate ransomware attacks and improve understanding of how cybercriminal enterprises operate.
Globally, action is being taken by governments in an attempt to hit ransomware gangs financially and make the attacks less profitable by stopping the gangs from benefiting from the anonymity provided by cryptocurrency payment channels. The aim is to rapidly identify cryptocurrency wallets that are used for ransom payments and to seize those accounts and prevent funds from being withdrawn, which is seen to be the most effective way of ensuring the gangs cannot profit from the attacks. Cryptocurrency exchanges that facilitate ransom transactions will also face sanctions.