FinCEN’s ransomware report reveals analysis of SAR data

A new report from the Financial Crimes Enforcement Network (FinCEN) has revealed a substantial increase in the prevalence of ransomware attacks in the first half of 2021.

Section 6206 of the Anti-Money Laundering Act (AMLA) of 2020 requires FinCEN to periodically publish analytical reports based on the suspicious activity reports (SARs) filed by financial institutions. The January 2021 to June 2021 edition of the report was the first issued by FinCEN under the agreement.  

Substantially more ransomware-related SARs filed in 2021

The report found that the number of ransomware-related SARs filed monthly has grown rapidly, with 635 SARs filed and 458 transactions reported between 1 January 2021 and 30 June 2021. This is an increase of 30% from the total of 487 SARs filed for the entire 2020 calendar year.

The report also found that the total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million. This exceeds the value reported for the entirety of 2020 ($416 million).

Overall, bitcoin was the most common ransomware-related payment method in reported transactions, but the use of anonymity-enhanced cryptocurrencies (AECs) is also rising. However, privacy coin Monero was noted in only 17 SARs, and cryptocurrency mixers were only reported in approximately 1% of ransomware transactions.

In addition to this, the report also found that:

• 68 ransomware variants were reported in the SAR data, with the most common variants including REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos
• Wallets associated with the 10 variants examined by the report sent BTC valued at $5.2 billion to known entities, either directly or indirectly
• A handful of digital forensics and incident response (DFIR) firms accounted for 63% of SARs filed in the first-half of 2021
• Victims typically communicated with the threat actors via The Onion Router (Tor), encrypted email, non-encrypted email, and unidentified web portals provided by the attackers

Common money laundering typologies attributed to ransomware variants

By analyzing ransomware-related SARs, conducting blockchain analysis, and leveraging industry observations, FinCEN identified at least six money laundering typologies that were common among ransomware variants in 2021. These were:

1. Threat actors are increasingly requesting payment in AECs
2. Threat actors are avoiding reusing wallet addresses
3. Centralized convertible virtual currency (CVC) exchanges have become preferred cash-out points
4. ‘Chain hopping’ is used to obfuscate financial trails on blockchains
5. Mixing services are prevalent in 2021
6. Decentralized exchanges are likely used to convert illicit proceeds

Fight financial crime with Veriff

Over the past year, the issue of ransomware has continued to draw significant attention from enforcement agencies, law makers, and political appointees. As a result, the pressure is now mounting on regulators and law enforcement agencies to take meaningful enforcement action against businesses and service providers that do not comply with recent AML/CFT legislation.

Thankfully, our AI-powered identity verification and KYC solution will help you prevent fraud, guarantee compliance, increase conversions and ensure that you always know who your customers are.

With our identity verification platform, you can welcome honest customers and lock out fraudsters. Our platform is easy to integrate and gives you compliance in a couple of clicks. To learn more, talk to us today.