Ransomware Groups Collected $590m in First Half of 2021

According to the US government’s Financial Crimes Enforcement Network (FinCEN), ransomware groups that created and distributed the ransomware strains were paid at least $590 million in ransom payments in the first half of 2021, which is more than the $416 million tracked in 2020. The total amount due to the ransomware-related financial activity may have reached $5.2 billion. The Financial Trend Analysis report contains information on the $590 million figure provided by the agency and reflects transactions found in the financial institutions’ Suspicious Activity Reports (SARs). The $5.2 billion figure is based on FinCEN’s analysis of visible blockchain activity.

Ransomware Groups Collected Ransom Payments

From January 1, 2021, to June 30, 2021, only 458 described transactions of the 635 SARs FinCEN analyzed were reported, while the remaining older transactions reported were discovered to be suspicious. The agency saw 487 SARs filled in 2020. A majority of the transactions described in the report show evidence of attempted money laundering. To cover the money trail, ransomware groups will use Anonymity-Enhanced Cryptocurrencies (ACEs) and other anonymizing services including Tor-shielded email.

Most of the ransomware threat actors want Bitcoin as their ransom payment, while there are only a few that prefer Monero. Once the payment is made, ransomware groups will deliver the decryption keys to the victims. However, there are those who will elevate the negotiation to the next level and escalate the payment demands even after the initial payments.

There are currently 68 variants of ransomware with REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos being the most common. The report only reveals the US ransomware payments as the global toll is much higher. According to the report, the median ransom payment was $148,000, however, most of the ransomware groups’ schemes have their prices set differently to suit their budgets. The US Treasury aggressively responded to the report by implementing two affirmative actions. They first designated a virtual currency exchange called, “SUEX OTC, S.R.O.” as an entity in which US citizens are not allowed to conduct business.  SUEX conducted transactions involving illicit proceeds from eight different ransomware groups.  According to the US Treasury, over 40% of the known SUEX transactions were associated with illicit actors and accused the organization of providing material support to ransomware threat actors.

The US Treasury released an updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments stating the US government advises all private companies and citizens to avoid paying ransom or extortion demands. Because it will make them crave more and these ransomware groups may be on the forbidden list which makes it illegal to conduct payments with them.

Based on the information from the Financial Trend Analysis Report, the Department is recommending companies focus more on strengthening their defensive and resilience measures to prevent and protect against ransomware attacks and to report the attacks instead of negotiating with the threat actors. It’s always crucial that companies view negotiating with threat actors as a “last resort” because these groups will implement different methods and tactics to squeeze payments out of victims. The engineers at SpearTip have the experience to handle these situations and will negotiate with threat actors, so your company doesn’t have to. Threat actors are never to be trusted in any situation because they may not follow through with their promises to return data even after a payment has been made.

At SpearTip’s Security Operations Centers, our certified engineers will continuously monitor your networks 24/7 for any potential threats like those mentioned in the US Treasury’s report. Being proactive is always the most effective route to follow when it comes to protecting your company’s network. The ShadowSpear platform is a great proactive tool because it prevents ransomware from penetrating your machines and provides a direct line of communication with our engineers should you have any questions.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.