According to a report released by the US Treasury on Friday, more than $5 billion in bitcoin transactions have been linked to the top ten ransomware versions. Two studies from the Department of Justice’s Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) show how profitable criminality connected to ransomware has grown for the gangs behind it.
Parts of the report are based on financial services businesses’ suspicious activity reports (SARs) to the US government. The overall value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, up from $416 million recorded for the entire year of 2020, according to FinCEN.
“According to a FinCEN analysis of ransomware-related SARs submitted in the first half of 2021, ransomware is becoming a more serious danger to the financial industry, businesses, and the general public in the United States.
The number of ransomware-related SARs filed monthly is fast increasing, with 635 SARs filed and 458 transactions reported between January 1 and June 30, 2021, up 30% from the total of 487 SARs filed for the full calendar year of 2020.
The Treasury Department discovered about $5.2 billion in outgoing bitcoin transactions potentially tied to ransomware payments by analyzing 177 unique convertible virtual currency wallet addresses used for ransomware-related payments associated with the 10 most commonly-reported ransomware variants in SARs during the review period.
“According to statistics compiled from ransomware-related SARs, the mean monthly suspicious amount of ransomware transactions was $66.4 million, with a median of $45 million. The most common ransomware-related payment method in recorded transactions, according to FinCEN, is bitcoin “The report continues.
The data set “consisted of 2,184 SARs showing $1.56 billion in suspicious activity filed between 1 January 2011 and 30 June 2021,” according to FinCEN. The US dollar amounts are based on the value of bitcoin at the time of the transaction.
While the study does not specify which ransomware variations generated the most revenue, it does mention the most often reported versions, which include REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos. FinCEN claims to have discovered 68 different ransomware versions.
Allan Liska, a ransomware expert and member of the Recorded Future computer emergency response team, told ZDNet that Phobos’ inclusion in the top five is shocking.
“Phobos tends to fly under the radar and receives little notice,” Liska said. “Clearly, more attention needs to be paid to it so that organizations can better defend themselves against it.”
FinCEN has been tracking ransomware transactions since 2011, indicating that they have a lot more experience tracking cryptocurrency transactions than ransomware groups know, he noted.
“I think we all suspected ransomware assaults were on the rise this year,” he said. “Finally, FinCEN identified 68 ransomware variants in SAR in just the first six months of the year. Again, I don’t believe most people are aware of the breadth of the ransomware ecosystem.”
The news comes only one day after US authorities and representatives from more than 30 countries concluded a two-day symposium on ransomware and how to combat it. The governments promised to work together even more in the future, emphasizing the importance of holding bitcoin platforms accountable.
FinCEN issued additional guidelines in conjunction with the release of the report, implicitly threatening the virtual currency industry with sanctions if they continue to allow sanctioned people or businesses to use their platforms.
“The virtual currency business is subject to OFAC sanctions compliance rules in the same way that traditional financial institutions are, and there are civil and criminal penalties for failure to comply,” FinCEN said on Friday.
Ransomware organizations are increasingly employing cryptocurrencies like Monero, which are popular among people seeking anonymity, according to the FinCEN research, and have avoided using wallets more than once.
Decentralized exchanges are being utilized to convert ransomware payments into other cryptocurrencies, and mixing services are commonly employed in the ransomware sector to frustrate tracking experts.
The study also references “chain hopping,” a technique used by ransomware perpetrators to exchange one coin for another at least once before transferring cash to another service or platform.
The money can subsequently be transferred to large CVC services and MSBs with lax compliance programs by threat actors “FinCEN stated the following.
If you find this article informative then do share it with your friends and family!