Ransomware has emerged as one of the worst cybercrime threats to prey upon businesses and individuals alike. The prospect of financial gains motivates bad actors to devise new techniques to pressure or manipulate their victims. Ransomware has become the most profitable cybercrime as the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) spotted Bitcoin transactions worth billions. 

Let’s talk about some stats

  • Almost $5.2 billion worth of outgoing Bitcoin transactions have been observed by FinCEN. This amount is possibly linked to the top 10 most reported ransomware strains. 
  • The first half of 2021 witnessed $590 million in ransomware-related Suspicious Activity Reports (SARS), a 42% increase from all of 2020. 
  • The report lists 68 ransomware variants, among which include REvil, DarkSide, Conti, Phobos, and Avaddon. 
  • While the median ransom identified was $148,000, ransomware families have a varying range of ransoms to suit their budgets.
  • For the top 10 ransomware strains, 177 novel wallet addresses were identified. 

This report, however, delineates ransomware payments only in the U.S. - the global toll is certainly a lot greater. 

Ransomware payments and money laundering

  • While ransomware actors initially request payments in BTC, they have also started requesting payments in AEC and XMR. 
  • They avoid reusing wallet addresses. Once the ransom payment is received, they layer funds via several wallet addresses for each attack. The payments from each incident are laundered separately to reduce consolidation into single wallet addresses. 
  • Bad actors mainly use foreign centralized exchanges to deposit their illegally earned money. Non-compliant centralized exchanges are believed to be a major component in the layering process of money laundering.
  • The practice of chain hopping is followed to obfuscate the origin of the funds. Chain hopping refers to converting one CVC to another at least once before transferring the funds to a different platform. 

A ray of hope

This Financial Trend Analysis report followed the announcement by governments across the world regarding the crackdown on cryptocurrency payment channels used by ransomware groups. The Counter-Ransomware Initiative aims to empty these accounts and disrupt ransomware operations by affecting the funding channels. In addition to this, the U.S. Treasury announced its first-ever sanctions against a cryptocurrency exchange that promote ransom transactions and assist in evading sanctions. 

The bottom line

FinCEN has offered several recommendations to mitigate ransomware attacks by contacting law enforcement immediately, reporting suspicious events to FinCEN, and incorporating IOCs from threat data sources to detect intrusions. Ransomware has become a complicated cybersecurity problem and requires proactive, preparatory, and protection-based defense measures.

Cyware Publisher