On October 15, 2021, the Financial Crimes Enforcement Network (“FinCEN”) issued a financial trend analysis on ransomware relating to Suspicious Activity Reports (“SARs”) filed in the first half of this year (“Analysis”). According to the Analysis, U.S. banks and financial institutions reported $590 million in suspected ransomware payments in SARs filed between January and June 2021, more than the total for all of 2020. FinCEN found that ransomware payments are often made using virtual currency, such as Bitcoin (“BTC”). The Office of Foreign Assets Control (“OFAC”) also released guidance in tandem with the FinCEN Analysis, addressing how the virtual currency industry can address sanctions-related risks.
Ransomware appears to be top-of-mind at the U.S. Treasury, as we have blogged. FinCEN’s Analysis and OFAC’s guidance came quickly on the heels of OFAC issuing on September 21 a six-page Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which states that OFAC will consider self-reporting, cooperation with the government and strong cybersecurity measures to be mitigating factors in any contemplated enforcement action against a ransomware victim that halts an attack by making the demanded payment to attackers who were sanctioned or otherwise had a sanctions nexus. Also on September 21, 2021, OFAC issued its first sanctions designation against a virtual currency exchange by designating the virtual currency exchange “for its part in facilitating financial transactions for ransomware variants.”
SAR Data and Ransomware Trends
Ransomware is a type of malicious software that infects victims’ files and restricts access to the data until a ransom is paid to unlock it. The number and severity of ransomware attacks against critical U.S. infrastructure is on the rise. This year has seen high-profile attacks, such as the ones on the Colonial Pipeline, a critical East Coast fuel source, and JBS, one of the country’s biggest meat suppliers. FinCEN’s Analysis was published in response the increase of ransomware attacks and pursuant to Section 6206 the Anti-Money Laundering Act of 2020, which mandates FinCEN periodically publish threat pattern and trend information derived from financial institutions’ SARs.
FinCEN examined ransomware-related SARs filed between January 1, 2021 and June 30, 2021 to determine trends. There were 635 SARs and 458 transactions identified as relating to ransomware filed within that period. Compared to 2020, when FinCEN received 487 SARs on transactions worth $416 million, this is a 42 percent increase. FinCEN stated that if current trends continue, SARs filed in 2021 are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined. To further make this point, the Analysis provides this graph regarding ransomware-related SARs filed since 2011:
It is important to note, however, that this trend likely reflects not only the increasing prevalence of ransomware-related incidents year after year, but also improvements in detection and reporting of incidents by covered financial institutions. There also may be increased awareness of reporting obligations pertaining to ransomware and a willingness to report such incidents.
The median average payment amount for ransomware-related transactions during the first six months of 2021 was $102,273. FinCEN noted that ransomware-related payment amounts vary greatly, with the vast majority of payments less than $250,000. January 2021 saw a sharp increase in the number of SARS filed, due to lookback SAR reporting over the course of the preceding six months. Eighty-three of the 172 SARs filed in January 2021 were lookback filings in which the reported transactions occurred before December 2020.
FinCEN identified 68 ransomware variants, the strain of ransomware favored by a particular threat actor, reported in SAR data for transactions during the first six months of 2021. The top ten variants accounted for 242 SARS filed, worth $217.56 million in reported suspicious activity, with the leading variant accounting for $31 million in transactions alone. FinCEN further conducted an analysis on the 177 blockchain wallets most associated with ransomware payments and found $5.2 billion in outgoing BTC transactions to exchanges, convertible virtual currency (“CVC”) services, darknet marketplaces, and mixing services.
FinCEN’s Analysis noted that Digital Forensic Incident Response (“DFIR”) firms account for sixty-three percent of all ransomware-related SARs filed. DFIR firms negotiate and facilitate ransomware payments on behalf of victims by converting customer fiat funds, accepted legal tender, to CVC and then transferring the funds to criminal controlled accounts.
FinCEN identified BTC as the most common ransomware-related payment method in reported transactions, with a modest increase in the use of Monero. Once payment is made, cyber criminals deliver the decryption keys to the victim. Some variants, however, elevate the negotiation to the next level and escalate the payment demands even after the initial payment, such as by threatening to publish the stolen data in the absence of further payment. FinCEN also highlighted the use of Anonymity-Enhanced Cryptocurrencies (“ACEs”) and other anonymizing services including email shielded by The Onion Router, or Tor.
Based on the analysis of ransomware-related SAR data, FinCEN identified at least six money laundering typologies attributed to ransomware variants in 2021:
- Threat actors are increasingly requesting payment in AEC, such as Monero, in order to further obfuscate their identities;
- Threat actors avoid reusing wallet addresses;
- Foreign centralized cryptocurrency exchanges are preferred as cash-out points;
- “Chain hopping”, the practice of converting one CVC into a different CVC at least once before moving the funds to another service or platform, is used to obfuscate financial trails on blockchains;
- Mixing services, used either as a general privacy measure or for covering up the movement of funds obtained from theft, darknet markets, or other illicit sour, are prevalent in 2021; and
- Decentralized exchanges are likely being used to convert illicit proceeds.
Ransomware poses a major threat to the public, financial sector and businesses. Based on the data in the Analysis, FinCEN recommended companies focus on strengthening their detection and alert systems to prevent and protect against ransomware attacks; report attacks immediately to law enforcement; file related SARs; and review financial red flag indicators of ransomware noted in FinCEN’s October 2020 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments. The emphasis on reporting attacks to law enforcement and regulators parrots OFAC’s strong emphasis on self-reporting in its September 21, 2021 Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.