2021 ransomware bitcoin activity eclipses last year, Treasury finds

Dive Brief:

The Treasury Department found $590 million in ransomware-related activity in suspicious activity reports (SARs) in the first half of 2021, according to analysis by the Financial Crimes Enforcement Network (FinCEN). Last year, ransomware-related activity totaled $416 million.
Between January and June, financial institutions filed 635 SARs, including 458 actual transactions, up 30% from the entirety of 2020. Last year, only 487 SARs were filed.
FinCEN found 177 unique convertible virtual currency (CVC) wallet addresses associated with the top 10 ransomware variants by analyzing 2,184 SARs "reflecting $1.56 billion in suspicious activity filed between 1 January 2011 and 30 June 2021," the report said. Of those CVC wallet addresses, FinCEN traced about $5.2 billion in outgoing bitcoin potentially tied to the top 10 variants.

Dive Insight:

Cryptocurrency is not inherently dangerous, but it has operated without regulation and oversight. It gives bad actors anonymity to conduct their business primarily in ransomware.

Though bitcoin is the most common payment method for ransomware actors, FinCEN also found activity using Monero, or cases where a threat actor requested money in both bitcoin and Monero. In H1 2021, FinCEN found seven payments valued at about $34 million where bitcoin and Monero wallets were provided.

Bitcoin is an inseparable part of the ransomware business, however, security experts say that even if crypto was regulated, cybercriminals would easily pivot to another tool. In the interim, the Treasury is using what tools it has to deter ransomware-related activity in digital exchanges.

The financial sector is one of the most regulated industries, giving the Treasury primary authority over regulating ransomware payment activity. In the last 12 months, the department has threatened to fine companies that pay sanctioned ransomware actors, requested businesses report digital transactions exceeding $10,000 to the IRS, and sanctioned a cryptocurrency exchange platform.

"U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on the Specially Designated Nationals (SDNs) and Blocked Persons List, according to the advisory. Evil Corp., SamSam and the Lazarus Group were among the initial sanctioned actors identified by the Treasury's Office of Foreign Assets Control (OFAC), the October 2020 notice said.

OFAC also provided guidance for sanction compliance in digital currencies, published on Friday. "As sanctioned persons and countries become more desperate for access to the U.S. financial system, it is vital that the virtual currency industry prioritize cybersecurity and implement effective sanctions compliance controls," the guidance said. OFAC's overall SDN list has more than 9,000 names, or variations of them.

Officials found at least 68 ransomware variants in SARs data, where the most common variants were REvil, Conti, DarkSide, Avaddon, Phobos. FinCEN tallied the ransomware-related activity to approximately $66.4 million in mean monthly totals, with the median average payment amount was $102,273.

While 90 SARs did not include the ransomware variant's name, some reports showed multiple variants in one filing. The top 10 ransomware variants collected a monthly median average of $27 million. FinCEN only identified the variants by numbers; Variant 1 was paid almost $12 million in June, followed by Variant 2's $8.5 million.

Because FinCEN officials didn't publicly identify the gangs associated with the top 10 variants, it left some security professionals guessing its effectiveness. "We shouldn't overlook that there is likely some intentional strategic messaging by the USG here: 'We can track your payments,'" Katie Nickels, director of intel at Red Canary, said in a tweet. "I understand not wanting to reveal too much, but I wonder if naming the variants (rather than redacting) could have more of an impact toward this goal."