The Financial Crimes Investigation Unit of the US Treasury Department, FinCEN has recently proclaimed $5.2 billion in Bitcoin transactions, and the security experts are guessing that all these means were conducted with the activity of ransomware.
During the investigation, they found some 2,184 suspicious activity reports that have been filed by US financial institutions over the past decade.
Soon after that, another investigation was initiated in which 177 Convertible Virtual Currency wallet addresses were identified, and all these were being used for different payments that are associated with encryptors.
In the First Six Months of 2021, Ransomware Filings Exceed the whole of 2020
After getting some glimpses of such transactions, a regular analysis has been initiated, and in the first six months of 2021, $590 million in ransomware-related SARs were classified.
After comparing with the last report, it has been concluded that 42 percent of the transaction were increased compared to the report of 2.
If the increasing rates continue to grow well, then the SARs filed in 2021 are predicted to have a higher ransomware-related transaction value as compare to the reports of the last ten years.
68 Variants Classified, Variant 1 Most Widespread
FinCEN has identified 68 variants that were reported in the SAR data during analysis, and among 68 variants there were 10 highest variants, that have the highest cumulative payment amounts recognized in SARs.
The highest total suspicious payment amounts for individual variants were reported in SARs range from $30 to $76 million. And among that, in June 2021, the highest cumulative suspicious payment amounts were compared with Variant 1 ($11.78 million) and Variant 2 ($8.53 million).
Maximum number of reported ransomware-related payments in Bitcoin
It has been noted that Bitcoin is the most common ransomware-related payment method in all these transactions and not only that, even a maximum number of hackers prefer Bitcoin only for all their illegal transactions.
While apart from the Bitcoin FinCEN also noted that there are many transactions that are requesting Monero for the payment method as well.
Onion Router and Email Systems were used for communication
In this type of ransomware attack, the threat actors communicate with the victims through the following mediums:-
- The Onion Router (Tor)
- Encrypted email
- Non-encrypted email
- Unidentified web portals
While here, the victims, or DFIR firms that are usually representing the victims, initially communicate with the threat actors using the Tor website with the purpose of negotiating the ransomware-related payment.
Ransomware Detection and Mitigation
However, the Financial institutions should conclude if the SAR filing is secure while dealing with a ransomware incident, which also includes ransomware-related payments made by financial institutions.
Here are few mitigations recommended:-
- Always contact the law enforcement agencies and report to them about the identified activity related to ransomware immediately.
- Always from the threat data sources consolidate IOCs into intrusion detection systems to get reported and block any potential malicious activity.
- In the Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, you should always review all the financial red flag indicators.
- One should always report to FinCEN immediately if identify any suspicious activity through the Cyber Event Indicators.
Moreover, the Financial institutions may also file a report along with FinCEN regarding the suspicious transaction, as they believe that all these are related to violation of any law or regulation.