FinCEN charts massive surge in ransomware activity reports in H1 2021

The U.S. anti-money laundering watchdog has put out a new report on a surge in ransomware payment activity in 2021. But is it a surge in ransomware or in reporting related to ransomware?

Published on October 15, the report on ransomware in the first half of 2021 comes from the Financial Crimes Enforcement Network (FinCEN). The report says we are in the midst of a bumper year:

"The total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million)."

FinCEN is the Treasury office that enforces compliance with the Bank Secrecy Act and other anti-money laundering law. Among a host of provisions, financial institutions operating in the U.S. are required to file suspicious activity reports, or SARs, whenever they encounter activity that is, well, suspicious. 

It is from its database of SARs that FinCEN compiled its data. The details are, however, tricky. As the office explained:

"The full data set consisted of 635 SARs reporting $590 million in suspicious activity. Of the 635 SARs filed during the review period, 458 report actual transactions that occurred during the review period worth $398 million. The remaining 177 SARs report transactions that occurred before 1 January 2021."

While 2021 ransomware payouts seem on track to exceed those of 2020, the rate of change is, consequently, not as significant as that of SAR filing. Visualized, that difference looks like this:

Source: FinCEN

If you take the date of the actual attack rather than the filing, FinCEN's data shows $398 million in ransomware events, not $590 million. This may indicate an improvement in filing compliance, but it could also be the result of a commonplace lag time in identifying cryptocurrency addresses associated with ransomware attacks.

Another potential issue with this report is that FinCEN requires SARs reports from a number of financial operators that could act along a chain of a single ransomware payment, opening up the possibility of double-counting. 

In trends, FinCEN identified increased requests from ransomware actors for payouts in what the office calls "Anonymity-enhanced Cryptocurrencies." In the industry, these typically go by the name "privacy coin." The most famous privacy coin, Monero (XMR), received special attention. Data on XMR payouts are notoriously hard to come by and unreliable. 

As previous authorities have noted, however, FinCEN said that the principle means of cashing out ransomware is not tricky technologies, but rather centralized cryptocurrency exchanges operating either without regulation or in jurisdictions that do not require know-your-customer checks. 

High-profile ransomware attacks on U.S. infrastructure earlier this year catapulted the area to the top of the White House's national security agenda. Earlier this week, the Biden administration convened 32 countries to discuss regulation that would protect against future devastating attacks. 

In September, the U.S. Treasury sanctioned a crypto exchange for the first time. The exchange in question had been a vector for a number of ransomware payouts.