What is Ransomware?
In its report, the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) defined ransomware as a software that encrypts files and holds the data hostage until the receipt of ransom money. Ransomware attacks have shifted from a “high-volume” approach to a selective one, maximizing the opportunities for return by targeting larger businesses. Since 2019, ransomware groups have adopted new extortion tactics, such as threatening to publish the stolen data, to ensure payment of the ransom is made.
What happened in 2021?
In 2021, there were 1,013 Bank Secrecy Act (“BSA”) filings that reported $750 million in ransomware-related activity. 2021 has surpassed all prior years in both the number of incidents and total dollar value of ransomware-related incidents reported in BSA filings. In 2021, there was a 188% increase in ransomware-related filings from 2020. Within 2021, there was a rise in incidents between the first and second half of the year. For first half of 2021, FinCEN, using BSA data, reported at least 458 ransomware-related incidents valuing roughly $398 million. In the second half of 2021, at least 793 ransomware-related incidents were reported, valuing roughly $488 million. FinCEN acknowledges that the increase could be attributed to either increased ransomware-related incidents or improved reporting and detection.
What is the connection to Russia?
Roughly 58% of the unique ransomware variants that were reported to FinCEN between July 2021 and December 2021 were identified as potentially being related to actors in Russia. FinCEN recognized the difficulties of malware attribution; however, it identified those 58% of variants as “using Russian-language code, being coded specifically not to attack targets in Russia or post-Soviet states, or as advertising primarily on Russian-language sites.” Of the top five variants reported, four were found to be connected to Russia, based on at least one of the previously listed attributes. Finally, Russia-related variants were connected to 75% of the ransomware-related incidents reported in the second half of 2021.
What are FinCEN’s recommendations?
FinCEN highlights the importance for financial institutions to be able to determine when it is required to file a suspicious activity report (SAR) when dealing with a ransomware incident. FinCEN recommends:
- Incorporate indicators of compromise into detection systems and enable blocking or reporting of malicious activity
- Promptly contact law enforcement for any identified ransomware-related activity, Office of Foreign Assets Control (“OFAC”) if the cyber actor is suspected to be sanctioned or have a sanctions nexus, and report suspicious activity to FinCEN
- Review FinCEN’s report “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments”
For further information on how to incorporate FinCEN’s recommendations into your compliance system or ransomware preparedness and sanctions compliance more generally, please reach out to any of the contacts listed above.
Authored by Beth Peters, Cassady Cohick, and Andrea Fraser-Reid.