FinCEN report: Ransomware SARs surge past 2020 totals

A report published Friday by the Financial Crimes Enforcement Network (FinCEN) on financial trends in BSA data between January and June 2021 analyzed all the known ransomware payment information reported by U.S. financial institutions in suspicious activity reports (SARs). The BSA requires financial institutions to file SARs to alert federal law enforcement about potential incidents of money laundering, terrorism financing, and other related crimes.

“Financial institutions play an important role in protecting the U.S. financial system from ransomware-related threats through compliance with BSA obligations,” FinCEN said in the report. “Financial institutions should determine if a SAR filing is required or appropriate when dealing with a ransomware incident, including ransomware-related payments made by financial institutions that are victims of ransomware.”

Not surprisingly, FinCEN found ransomware payments—most commonly paid in bitcoin (BTC)—are laundered by cybercriminals in a variety of ways.

First, the numbers. There were 635 SARs and 458 transactions related to ransomware filed with FinCEN between January 1 and June 30. The value of those transactions was $590 million. (Sometimes several different SARs identified the same ransomware payment).

In all of 2020, FinCEN received 487 SARs on transactions worth $416 million.

“This trend potentially reflects the increasing overall prevalence of ransomware-related incidents as well as improved detection and reporting of incidents by covered financial institutions, which may also be related to increased awareness of reporting obligations pertaining to ransomware and willingness to report,” FinCEN said.

The median average ransomware payment for the first six months of 2021 was $102,273, a slight increase from $100,000 for the first six months of 2020. The report noted there were two large ransomware payments reported in SARs data in March 2021, but also remarked SARs were often looking back on ransomware activity that occurred several months before.

The agency said ransomware actors develop different ransomware attacks, called “variants,” which are “given new names based on a change to software or to denote a particular threat actor behind the malware.” FinCEN identified 68 variants reported in SARs data for transactions during the review period, including REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos.

FinCEN further conducted an analysis on the 177 blockchain wallets most associated with ransomware payments and found “approximately $5.2 billion in outgoing BTC transactions potentially tied to ransomware payments.” Ransomware actors most commonly used anonymity-enhanced cryptocurrencies; avoided using the same digital wallet twice; used a method called “chain hopping” to convert one digital currency to another before cashing out; cashed out at centralized exchanges; and used “mixing services and decentralized exchanges to convert proceeds,” FinCEN said.

Some of these mixing services and exchanges are subject to BSA rules, FinCEN noted.

The Office of Foreign Assets Control (OFAC) at the U.S. Treasury also released information Friday regarding how ransomware payments might generate sanctions violations.

“The growing prevalence of virtual currency as a payment method … brings greater exposure to sanctions risks—like the risk that a sanctioned person or a person in a sanctioned jurisdiction might be involved in a virtual currency transaction,” OFAC said in compliance guidance. “Accordingly, the virtual currency industry … plays an increasingly critical role in preventing sanctioned persons from exploiting virtual currencies to evade sanctions and undermine U.S. foreign policy and national security interests.”

OFAC recently added a Russian-based virtual currency exchange, SUEX OTC, to its list of specially designated nationals (SDNs).