U.S. banks and financial institutions reported $590 million in suspected ransomware payments in SARs filed between January and June 2021, more than the total for all of 2020

The Financial Crimes Enforcement Network (FinCEN) analysis of ransomware-related to Suspicious Activity Reports (SARs) filed during the first half of 2021 indicates that ransomware is an increasing threat to the U.S. financial sector, businesses, and the public. FinCEN identified approximately $5.2 billion in outgoing BTC transactions potentially tied to ransomware payments.

The number of ransomware-related SARs filed monthly has grown rapidly, with 635 SARs filed and 458 transactions reported between 1 January 2021 and 30 June 2021 (“the review period”), up 30 percent from the total of 487 SARs filed for the entire 2020 calendar year.

The total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million).

Trends represented in this report illustrate financial institutions’ identification and reporting of ransomware events and may not reflect the actual dates associated with ransomware incidents.

FinCEN’s analysis of ransomware-related SARs highlights average ransomware payment amounts, top ransomware variants, and insights from FinCEN’s blockchain analysis:

Average Monthly Suspicious Amount of Ransomware Transactions

According to data generated from ransomware-related SARs, the mean average total monthly suspicious amount of ransomware transactions was $66.4 million and the median average was $45 million. FinCEN identified bitcoin (BTC) as the most common ransomware-related payment method in reported transactions.

Top Ransomware Variants

Ransomware actors develop their own versions of ransomware, known as “variants,” and these versions are given new names based on a change to software or to denote a particular threat actor behind the malware. FinCEN identified 68 ransomware variants reported in SAR data for transactions during the review period. The most commonly reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos.

Insights from Blockchain Analysis

FinCEN identified and analyzed 177 unique convertible virtual currency (CVC) wallet addresses used for ransomware-related payments associated with the 10 most commonly reported ransomware variants in SARs during the review period.4 Based on blockchain analysis of identifiable transactions with the 177 CVC wallet addresses, FinCEN identified approximately $5.2 billion in outgoing BTC transactions potentially tied to ransomware payments.

FinCEN Identified Ransomware Money Laundering Typologies

FinCEN identified several money laundering typologies common among ransomware variants in 2021 including threat actors increasingly requesting payments in Anonymity-enhanced Cryptocurrencies (AECs) and avoiding reusing wallet addresses, “chain hopping” and cashing out at centralized exchanges, and using mixing services and decentralized exchanges to convert proceeds.