Ransomware remains ‘significant threat,’ FinCEN reports; large portion of variants connected to Russia cyber actors

Ransomware trends in Bank Secrecy Act (BSA) filings from July to December 2021 showed growth in the number and severity of ransomware attacks against U.S. critical infrastructure since late 2020, Treasury’s Financial Crimes Enforcement Network (FinCEN) said Tuesday.

FinCEN said its analysis addresses the extent to which a substantial number of ransomware attacks likely emanate from, or at a minimum are connected to, actors in Russia.

Analysis of ransomware-related BSA filings for 2021 indicates that ransomware continues to pose a significant threat to U.S. critical infrastructure sectors, businesses, and the public, FinCEN said. For the second half of 2021, FinCEN found that:

  • Russia-related ransomware variants accounted for 69% of ransomware incident value, 75% of ransomware-related incidents, and 58% of unique ransomware variants reported for incidents in the review period. All of the top five highest grossing ransomware variants in this period are connected to Russian cyber actors.
  • The mean average total monthly amount of ransomware-related incidents in the review period was $81.4 million, and the median was $80 million.
  • Ransomware actors develop their own versions of ransomware, known as “variants,” and these versions are given new names based on a change to software or to denote a particular threat actor behind the malware. FinCEN identified 84 ransomware variants reported in BSA data for incidents during the review period.

Comparing data more broadly, FinCEN said:

  • BSA data for 2020 suggests that at least 602 ransomware-related incidents occurred throughout the year. The total value of these incidents was roughly $527 million. BSA data for 2021 suggests that at least 1,251 ransomware-related incidents occurred throughout 2021, with a total value of roughly $886 million.
  • BSA data for 2021 suggests at least 458 ransomware-related incidents occurred between Jan. 1 and June 30. The total value of these incidents was roughly $398 million. At least 793 ransomware-related incidents occurred between July 1 and Dec. 31, with a total value of roughly $488 million.
  • Of the 793 ransomware-related incidents reported to FinCEN in BSA data that occurred between July 1 and Dec. 31, 2021, 75% (or 594) had a nexus to Russia, its proxies, or persons acting on its behalf.

FinCEN Analysis Reveals Ransomware Reporting in BSA Filings Increased Significantly During the Second Half of 2021