FinCEN’s Ransomware Financial Trend Analysis

What is the Ransomware Financial Trend Analysis?

On October 15th, the U.S. Treasury Financial Crimes Enforcement Network (FinCEN) released a Financial Trend Analysis focusing on Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021. In the report, FinCEN details and explains trends made apparent through data collected from Suspicious Activity Reports (SARs) submitted by institutions affected by ransomware. 

The report was issued in response to the increasing danger and frequency of ransomware attacks being carried out against businesses, infrastructure, healthcare, energy, and education both at home in the U.S. and the world over. The data collected in the report indicates that ransomware continues to pose a growing threat to institutions across all sectors, as well as to the public at large.

What is ransomware and why is it becoming so dangerous?

Ransomware is a type of malware that encrypts a victim’s data. Once threat actors have successfully installed ransomware onto a victim’s network, they are able to lock the intended users out and deny access until a ransom is paid. Aside from the obvious financial and real-world implications of being unable to access system infrastructure, threat actors often further increase the pressure on victims by threatening to steal or destroy the data that they hold captive in a maneuver referred to as “double extortion.”

Historically, malware attacks have been carried out by hackers playing the numbers game. Attackers wouldn’t hone in on specific targets, instead of blasting their efforts across a wide variety of potential victims in the hopes that someone would fall for their trap. 

Recently, however, threat actors have become emboldened by the advent of cryptocurrency and the chaos that the COVID-19 pandemic has wrought on the cybersecurity protocols of major companies now relying on remote workforces. Targeting high-profile victims, as well as achieving success, is now not uncommon.

Some ransomware purveyors have also increased their income by selling their ransomware as a service (RaaS). By providing their malware to third parties in exchange for a specific rate or a percentage of the final payout, ransomware creators have devised a new manner in which to profit.

Ransomware is now a hot topic in the field of cybersecurity, with everyone from small business owners to federal agencies working to protect themselves against this advanced and growing danger.

Key takeaways from the Ransomware Financial Trend Analysis

While not terribly long or dense with detail, the report still may be too opaque to adequately enforce the critical nature of the data within. This list serves to distill the report down to its most fundamental, important, or interesting findings:

• The mean average amount of ransomware transactions in the time period examined was $66.4 million.

• Bitcoin (BTC) is the most commonly requested payment method in reported ransomware transactions, although Monero (XMR) has been growing in requests and will likely see an increase compared to 2020 due to its focus on anonymity. The report generally expects transaction requests in Monero and other Anonymity-enhanced Cryptocurrencies (AECs) to rise as criminals continue to find new ways to evade detection and launder money through crypto and a technique known as “chain-hopping.”

• “Chain-hopping” is a term used to describe converting one cryptocurrency into another across different wallets. This makes crypto money trails very difficult to follow.

• Interestingly, the report mentions that victims are sometimes subjected to surcharges or offered discounts in order to encourage them to provide their payout in the threat actor’s preferred currency.

• During the period of time reported, 68 ransomware variants were identified. 

• The most commonly reported ransomware variants are REvil/Sodinokibi, Conti, DarkSide, Avaddon and Phobos. Knowing the name associated with the ransomware variant can help authorities pinpoint who may be responsible for the attack. However, not all SARs name the ransomware they are reporting, so data is not entirely complete.

• The top 10 variants reported account for $217.56 million in transactions, highlighting how powerful some ransomware can be if properly executed against unprepared targets.

• Crypto remains popular with cybercriminals, as FinCEN has reported to have confirmed 177 convertible virtual currency (CVC) wallet addresses being used for ransomware transactions. 

• $5.2 billion in bitcoin transactions are believed to be possibly associated with ransomware payouts.

• In the time period analyzed, $590 million in ransomware-related SARs have been identified, showing an increase of 42% over the $416 million identified over the same period of time in 2020.

• If the trends identified continue, the total dollar amount of ransomware-related SARs reported in 2021 will surpass the value of all SARs reported over the past ten years. However, this value is undoubtedly also rising thanks to better detection and reporting of these incidents.

• The data shows that 63% of SARs related to ransomware were reported by Digital Forensic Incident Response Firms with banks and CVC exchanges making up about a third of the total SARs reported. This indicates that the third party cybersecurity firms employed by financial institutions are doing the vast majority of the actual reporting of ransomware events.

• Threat actors usually communicate their requests to victims using The Onion Router (Tor), email (both encrypted and non-encrypted) or custom web portals created by the attackers. Tor allows for anonymous web browsing and encryption, making it the ideal platform within which criminals can comfortably communicate with their victims without fear of identification.

• Criminals favor currency exchanges that do not have adequate compliance standards to both launder and cash out their money.

The report’s recommendations for detecting and mitigating threats

The analysis closes with advice from FinCEN regarding how to best fortify against malicious actors in four steps:

1. Intrusion detection systems should be able to accurately and swiftly detect any indicators of compromise (IOCs) in order to block and detect suspicious activity.

2. If activity is detected that is related to ransomware, FinCEN recommends immediately contacting law enforcement as well as OFAC. Contact information for the agencies that should be reached are provided at the end of the official report.

3. Report suspected malicious activity to FinCEN. The SAR form provides manners in which to provide any suspicious email addresses, hashes, domains, file names and more. Victims are encouraged to provide as much data as possible on their findings, including the name of the ransomware variant being used as well as any transaction information including virtual currency addresses and hashes.

4. FinCEN recommends reviewing “red flag indicators of ransomware” in the Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments that they issued in October of 2020.

Further reading and research

The report recommends reading the information available on CISA’s StopRansomware.gov website where you will find alerts, fact sheets, guides, and more, all developed with the goal of keeping ransomware in check and at bay.

A “high-level prevention best practices and a response checklist” can be found within the Multi-State Information Sharing and Analysis Center’s Ransomware Guide.

For deeper insight into the procedures and tools that assist in detecting threats, mitigating damage and containing data in the event of a breach or ransomware attack, FinCEN recommends the National Institute of Standards and Technology’s Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events.