Ransomware mined at least $ 590 million for the criminals who create and distribute it in the first half of 2021 alone – more than the $ 416 million tracked throughout 2020, according to the Financial Crimes Enforcement Network (FinCEN) from the US government. Total financial activity related to ransomware may have reached $ 5.2 billion.
$ 590 million figure contained in financial trends analysis report [PDF] by the agency and reflects transactions identified in suspicious activity reports (SARs) from financial institutions. FinCEN’s analysis of visible blockchain activity came up with the figure of $ 5.2 billion.
FinCEN analyzed 635 SARs, of which 458 described transactions reported between January 1, 2021 and June 30, 2021 and the rest reported older transactions that were subsequently deemed suspicious. In 2020, the agency saw 487 SAR filed.
Many of the transactions observed showed signs of attempted money laundering. Ransomware slingers are aware that the use of enhanced anonymity cryptocurrencies (AECs) and other anonymization services is necessary to cover their gooey tracks. For example, they prefer to communicate using Tor protected email.
The report observes that ransom demands are dominated by a desire for Bitcoin, with some preferring Monero.
Some ransomware hands over the decryption keys after they get paid – and these are (by comparison) the noblest. Others “required additional negotiations and increasing demands for payment even after the initial payments had been made”. Just in case you were wondering how grimy the scum could be.
The report identified 68 ransomware variants and named REvil / Sodinokibi, Conti, DarkSide, Avaddon, and Phobos as the most common.
The median ransom identified was $ 148,000, but the ransomware variants appear to have different price ranges to suit a range of budgets!
The document only describes ransomware payments in the United States – the global toll is almost certainly much higher.
The US Treasury responded to the report with predictable anger, but also two concrete actions.
One was to designate a virtual bureau de change called “SUEX OTC, SRO” as an entity that US citizens are not allowed to do business with.
“SUEX facilitated transactions involving illicit products of at least eight ransomware variants,” the Treasury said. “Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors” and the organization has been accused of “providing material support to the threat posed by the actors ransomware criminals “.
The Treasury has also issued an updated notice on potential sanction risks to facilitate ransomware payments. [PDF] which proclaims that the US government “strongly discourages all private companies and citizens from paying ransom or extortion demands” because it feeds criminals. Also because the ransomware vendors may have already been designated as prohibited entities – and if so, doing business with them by paying ransoms is itself illegal.
The ministry “recommends instead focusing on strengthening defensive and resilient measures to prevent and protect against ransomware attacks” and reporting attacks rather than negotiating.
You know the drill, folks: patch early, patch often. Â®