Ransomware attacks doubled between 2020 and 2021, with much of the spike coming from Russia, especially at the end of last year.
The Financial Crimes Enforcement Network, in an
FinCEN noted that, in the latter half of 2021, attacks from Russia were particularly severe. Of the 793 incidents reported between July and December of last year, 594 of the attacks (75%) had a connection to Russia, its proxies or persons acting on its behalf. Further, even if the bad actors were not Russian, it is highly likely they used Russian software: FinCEN said that ransomware variants from Russia or places connected with Russia accounted for 69% of incident value, 75% of ransomware-related incidents and 58% of unique ransomware variants reported for incidents in the review period. All of the top five highest grossing ransomware variants in this period were connected to Russian cyber actors, according to FinCEN.
"Today's report reminds us that ransomware — including attacks perpetrated by Russian-linked actors — remain a serious threat to our national and economic security," said FinCEN acting director Himamauli Das in a statement. "It also underscores the importance of BSA filings, which allow us to uncover trends and patterns in support of whole-of-government efforts to prevent and combat ransomware attacks. Financial institutions play a critical role in helping to protect the United States from ransomware-related threats simply by fulfilling their BSA compliance obligations."
FinCEN recommended that people:
- Incorporate "indicators of compromise" from threat data sources into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity;
- Contact law enforcement immediately regarding any identified activity related to ransomware, and contact the Office of Foreign Assets Control if there is any reason to suspect the cyber attacker demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus;
- Promptly report suspicious activity to FinCEN, highlighting the presence of "Cyber Event Indicators." indicators of compromise, such as suspicious email addresses, file names, hashes, domains, and IP addresses, can be provided in the SAR form; information regarding ransomware variants,
requested methods of payment or other information may also be useful to law enforcement and for trend analysis in addition to virtual currency addresses and transaction hashes associated with ransomware payments; and - Review financial red flag indicators of ransomware in the "Advisory on Ransomware and the
Use of the Financial System to Facilitate Ransom Payments" issued by FinCEN in November 2021.
