The U.S. Financial Crimes Enforcement Network (FinCEN) recently revealed that Bitcoin is the most popular payment method among ransomware operators. This news alone would've been easy to guess—cryptocurrency and criminal activity go together like pancakes and syrup—but the sheer scope of those payments was previously unknown. FinCEN said it believes $5.2 billion worth of Bitcoin transactions have been linked to ransomware.
The agency's findings, which BleepingComputer reported on October 15, were published in a report titled "Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021." The report described the increasingly pervasive nature of ransomware attacks as well as the rising amount of money these attacks can net their operators. Ransomware isn't having a moment; it's establishing a long reign.
FinCEN said that its analysis of Suspicious Activity Reports (SARs) related to ransomware that were filed during the first half of 2021 "indicates that ransomware is an increasing threat to the U.S. financial sector, businesses, and the public." The agency said 487 SARs were filed in 2020, but that number saw a 30 percent increase between January and June alone with a total of 635 SARs filed in that period.
That means there are more ransomware-related SARs being filed than ever before. Their value has also risen: "The total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million," FinCEN said, "which exceeds the value reported for the entirety of 2020 ($416 million)." The average transaction amount rose from $100,000 to $102,273 as well.
So ransomware is becoming more common and slightly more expensive, which means leading attackers can bring in more money than ever before, even though FinCEN's report only covered the first half of the year. Unless these attacks slow down—and continued efforts to disrupt the REvil hacker group might help in that regard—things probably won't improve much for the second half of the year.
FinCEN said it identified 177 convertible virtual currency (CVC) wallets as having connections to the top 10 most common ransomware variants. Even though the harder-to-trace Monero cryptocurrency is becoming more popular, Bitcoin remains the most widely used payment method for ransomware attacks.
"Wallets associated with the 10 variants examined sent BTC valued at $5.2 billion to known entities, directly or indirectly, including 51 percent to exchanges, 43 percent to other CVC services, five percent to darknet marketplaces, and one percent to mixing services," FinCEN said. "These percentages identify transactions traced to known entities and may not represent the final cash-out locations after obfuscation of funds. "
All of this means that $5.2 billion worth of transactions only describes the leading ransomware variants. Only a small amount of those transactions (five percent) were used for illicit purchases on darknet marketplaces. The vast majority used chain-hopping, decentralized exchanges, and mixing services to make it harder to trace the BTC so it would be less risky to convert it to other currencies.
It's no wonder, then, that U.S. lawmakers and regulators have devoted more attention to cryptocurrency lately. They've effectively taken a two-pronged approach to address ransomware: the first prong is stopping the attacks themselves, and the second prong is making it more difficult to make obscene amounts of money off successful attacks, which means they need to target cryptocurrencies like Bitcoin.