FinCEN sees SAR surge tied to ransomware attacks, more than doubling in number in a year, surging to nearly $1.2 billion

The Skinny:

• The U.S. Treasury bureau tasked with defending the country against illicit finance has noted a hefty surge in bank reports of a particularly persnickety strain of cyber-enabled fraud: ransomware attacks.
• The Financial Crimes Enforcement Network (FinCEN) noted in two reports – covering the first and second half of 2021 – that suspicious activity reports (SARs) tied to ransomware nearly tripled, from 487 ransomware-related SARs in 2020, totaling nearly $416 million to 1,489 ransomware-related SARs in 2021, totaling nearly $1.2 billion.
• Law enforcement is responding – even if investigators can’t always get at the source of ransomware attacks, in many instances, Russia. More recently, agencies have targeted the nodes helping to move and launder ransomware payouts – chiefly made in virtual currency – by blacklisting and penalizing complicit or complacent virtual currency exchanges and crypto mixing services.

The U.S. Treasury bureau tasked with defending the country against illicit finance has noted a hefty surge in bank reports of a particularly persnickety strain of cyber-enabled fraud: ransomware attacks.

The Financial Crimes Enforcement Network (FinCEN) noted in two reports – covering the first and second half of 2021 – that suspicious activity reports (SARs) tied to ransomware nearly tripled, from 487 ransomware-related SARs in 2020, totaling nearly $416 million to 1,489 ransomware-related SARs in 2021, totaling nearly $1.2 billion.

Those figures are based on the SAR filing date.

FinCEN also broke up the data related to the incident date, being that SARs can have a significant delay – to months or years – from the date a bank noticed a potential ransomware transaction, investigated it and finally filed the report.

To read the full release, click here.

To read the full Financial Trend Analysis report, released Tuesday, covering from July to December 2021, click here.

To read the prior report released in October 2021, covering from January to June 2021, click here.

As for the figures related to incident date, AML data for 2020 suggests that at least 602 ransomware-related incidents occurred in 2020 valued at roughly $527 million.

Just a year later, in 2021, AML data revealed that at least 1,251 ransomware-related incidents occurred in 2021 with a total value of some $886 million.

FinCEN noticed that these increases are likely due to several factors, including “an increase of ransomware-related incidents or improved reporting and detection.”

Mirroring attacks in real world, Russia levels barrage of virtual fusillades

In addition, a major disturbing trend is that roughly 75 percent of the ransomware-related incidents reported to FinCEN during the second half of 2021 “pertained to Russia-related ransomware variants.”

That is a detail that should not be lost on anti-money laundering (AML) teams, fraud teams and cyber defense strategists.

One of the challenges for U.S. investigators and allies in Europe and other countries is that, with most of the attacks coming from Russia, they had few avenues to go after the actors themselves.

Russia has historically been reticent, even recalcitrant, in partnering with foreigners to stop Iron Curtain ransomware gangs – in some cases because they are part of government-sanctioned efforts.

To better uncover and report on incidents, FinCEN is urging entities tied to ransomware incidents to:

Incorporate indicators of compromise (IOCs) from threat data sources into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity.

Contact law enforcement immediately regarding any identified activity related to ransomware, and contact OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.

So how have law enforcement agencies responded?

FinCEN issued today’s report pursuant to the Anti-Money Laundering Act of 2020 and in response to an increase in the number and severity of ransomware attacks against U.S. critical infrastructure since late 2020.

More recently, they have gone after the nodes helping to move and launder ransomware payouts – chiefly made in virtual currency – by blacklisting and penalizing complicit or complacent virtual currency exchanges and crypto mixing services.

Last month, FinCEN and the Office of Foreign Assets Control (OFAC) levied a nearly $30 million fine against midsize virtual currency exchange, Bittrex, for a host of financial crime and sanctions compliance failings, including missed filings of aberrant activity and weak monitoring of activity tied to crypto mixers.

The order echoes several regulatory pain points and investigative focal points in bank and MSB compliance penalties in recent years, including lack of adequate compliance staffing, transaction monitoring blindspots and not making the connections to higher-risk entities or their suspicious activities.

These agencies have also gone after “mixers,” causing an uproar in the crypto community, with some wondering how certain software programs can be blacklisted – not just people, companies and regions.

FinCEN snapshot: What is ransomware?

The takeaway for crypto exchanges: don’t let your operation touch illicit ransomware payouts and laundering cycles.

The bureau defines ransomware as “malicious software that encrypts a victim’s files and holds the data hostage until a ransom is paid, most often in Bitcoin.”

Through its heightened analysis of AML filings tied to ransomware, FinCEN has noticed several emerging trends that should worry bank countercrime teams, corporates, hospitals, and entities considered “critical infrastructure.”

In the last two years, ransomware actors have “shifted from a high-volume opportunistic approach to a more selective methodology in choosing victims, targeting larger enterprises, and demanding bigger payouts to maximize their return on investment.”

Conversely, as larger ransomware gangs got more bold, sophisticated and punctured ever more high-profile companies, smaller groups have jumped on the bandwagon – by buying the virulent software from corrupt creators.

“Some ransomware actors have diversified their revenue streams using a ransomware-as-a-service (RaaS) business model in which ransomware creators sell user-friendly ransomware kits on the dark web or outsource ransomware distribution to affiliates in exchange for a percentage of the ransom,” FinCEN said.  

In recent years, ransomware groups have also engaged in what investigators call “double extortion,” where they don’t just encrypt the data – threatening to wipe it if they aren’t paid – they steal the data and threaten to publish it in dark web or open source forums.

FinCEN also noted a ramp up as 2021 wore on, mirroring the acceleration in ransomware attacks globally.

The first half of the year suggests at least 458 ransomware-related incidents valued at nearly $400 million.

The incidents rose quickly for the second half of the year, to just under 800 ransomware-related incidents valued at $488 million.

Ransomware rising in all areas: attacks, payouts soaring – incident every 11 seconds

To add salt to the wound, ransomware payments requests are, just like inflation, rising.

“As new approaches to ransomware like double extortion continue to pay off, attackers are demanding higher ransom payouts than ever before,” according to published figures by Panda Security.  

“The average ransom demand in the first half of 2021 amounted to $5.3 million — a 518% increase compared to 2020. The average ransom payment has also increased by 82% since 2020, reaching a whopping $570,000 in the first half of 2021 alone.”

Government agencies, analysts and journalists have all highlighted that ransomware, once a pesky and petulant cyber attack vector blindly targeting the careless and unwary, has become more focused, aggressive and pervasive.

“Ransomware attacks are one of the fastest-growing cyber threats in recent history — reports of ransomware incidents increased 62% in 2021 compared to 2020,” according to a compilation of statistics by Panda.

Some stats framing the severity of the attacks include:

1. Globally, there were 304.7 million ransomware attacks in the first half of 2021, a 151% increase since 2020. (SonicWall)
2. Ransomware attacks experienced annually by organizations have been on the rise since 2018, peaking at 68.5% in 2021. (Statista)
3. 80% of organizations were hit by a ransomware attack in 2021. (Claroty x Forbes)
4. Experts estimated that a ransomware attack would take place every 11 seconds in 2021. (Cybersecurity Ventures)
5. There were a record-breaking number of ransomware attacks in Q3 of 2021, totaling 190.4 million. (SonicWall)

“Ransomware was also the third most used cyberattack method in 2021, accounting for 10% of all data breaches,” the group noted. “This explosive uptick in attacks is expected to continue in 2022 and beyond.”