Ransomware burnout might be creeping in for many cybersecurity professionals, but cybercrime organizations do not show any signs of slowing down, according to a new report.
The U.S. Treasury Department released its Financial Trend Analysis report on Friday, providing the lay of the land when it comes to ransomware in the first two quarters of 2021.
The findings? Ransomware is steadily growing as one of the biggest financial threats to the nation's economy.
"Ransomware and cyber-attacks are victimizing businesses large and small across America and are a direct threat to our economy," said U.S. Treasury Secretary Janet L. Yellen.
Ransomware cost the U.S. nearly $600 million in the first half of 2021. In all of 2020, the total cost was $416 million, which shows how cybercrime ransoms are on trajectory to nearly triple from last year.
SecureWorld News breaks down this report, while also compiling recommendations from our experts and the government you can implement, if you have not already, to protect your organization.
Ransomware analysis by Financial Crimes Enforcement Network
Data around the ransomware trends was analyzed by Financial Crimes Enforcement Network (FinCEN), a branch of the Treasury Department.
They focused on four major areas: the monthly amount of suspicious ransomware payments; ransomware variants; Bitcoin payments tied to ransomware; and threat actors' use of Anonymity-Enhanced Cryptocurrencies (AECs), which means they can avoid reusing virtual currency wallets.
According to the data, somewhere between $45 million and $60 million is the "total monthly suspicious amount of ransomware transactions."
Another factor is the variants of ransomware FinCEN found, which totaled 68 and featured familiar ransomware actors like REvil, Conti, and DarkSide.
"Ransomware actors develop their own versions of ransomware, known as 'variants,' and these versions are given new names based on a change to software or to denote a particular threat actor behind the malware. FinCEN identified 68 ransomware variants reported in SAR data for transactions during the review period. The most commonly reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos," reads the report.
Cryptocurrency's role in enabling ransomware attacks
Experts have been discussing the part that cryptocurrency plays in giving cybercriminals an easy way to demand ransoms—and for good reason.
"FinCEN identified bitcoin (BTC) as the most common ransomware-related payment method in reported transactions," the report reads.
To grapple with this known fact, the U.S. government has been steadily moving towards regulating Bitcoin.
After sanctioning the first cryptocurrency exchange for facilitating ransom payments connected to an online crime circle, the United States launched the Cryptocurrency Enforcement Team, a new department of law enforcement with the goal to increase monitoring.
In a New York Times opinion piece by Paul Rosenzweig, a cybersecurity lawyer, he discussed how regulating cryptocurrency could control ransomware attacks.
"Ransomware attacks occur because criminals make money from them. If we can make it harder to profit from such attacks, they will decrease," Rosenzweig said.
FinCEN cited two areas where cryptocurrency is propping up ransomware, showing how many convertible virtual currency (CVC) wallets have been connected to cyberattacks.
"Based on blockchain analysis of identifiable transactions with the 177 CVC wallet addresses, FinCEN identified approximately $5.2 billion in outgoing BTC transactions potentially tied to ransomware payments," reads the analysis.
In addition, FinCEN also connected crypto to online money laundering rings.
"FinCEN identified several money laundering typologies common among ransomware variants in 2021 including threat actors increasingly requesting payments in Anonymity-enhanced Cryptocurrencies (AECs) and avoiding reusing wallet addresses, 'chain hopping' and cashing out at centralized exchanges, and using mixing services and decentralized exchanges to convert proceeds."
SecureWorld's ransomware 'state of the union address'
Recently, Alec Alvarado, Threat Intelligence Manager for Digital Shadows, was featured on a Remote Sessions webcast about the growing threats of ransomware in 2021.
Alvarado acknowledged the growing fatigue surrounding the problem of ransomware while he provided valuable updates around the numbers, which drew comparisons to a "State of the Union Address" by the session's moderator, Tom Bechtold.
On the other hand, cybersecurity professionals are inundated with statistics regarding ransomware. But what can be done to guard your organization against ransomware?
One of the reasons Alvarado said ransomware attacks could be shifting from sector to sector is because cybercriminals are looking for the weak links.
"We've kind of seen over time, ransomware [actors] moving from sector to sector and identifying new sectors that are particularly more vulnerable. Maybe they identified retail organizations being more vulnerable, and now we're seeing healthcare organizations, who were primarily targeted in later 2020. Maybe [some industries] have gotten better about locking down systems and maybe [malicious hackers] are moving on to the next sector [that hasn't]."
When it comes to solving the ransomware problem, Alvarado recommends going through a basic security checklist to strengthen your organization to become "the fruit at the top of the tree."
"It's harder said than done, but really following those basic cybersecurity principles that we have established, that we all agree upon, goes a long way to protecting your organization from ransomware, from being a more difficult target than somebody who doesn't have those cybersecurity principles that should be ingrained into what we do on a day-to-day basis," he said.
Alvarado also said there is usually a "human element" when breaches happen, so tightening up cybersecurity training for your organization could be a good place to start if you are still in the beginning stages.
U.S. Treasury recommends taking these steps to mitigate ransomware risks
If your organization is still working out the kinks in your mitigation plan, the Treasury did make the following recommendations, too:
- "Incorporate IOCs from threat data sources into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity."
- "Contact law enforcement immediately regarding any identified activity related to ransomware, and contact OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus. Please see contact information for the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), OFAC, and U.S. Secret Service at the end of this report."
- "Report suspicious activity to FinCEN, highlighting the presence of 'Cyber Event Indicators.' IOCs, such as suspicious email addresses, file names, hashes, domains, and IP addresses, can be provided in the SAR form. Information regarding ransomware variants, AECs requested for payment, or other information may also be useful to law enforcement and for trend analysis in addition to virtual currency addresses and transaction hashes associated with ransomware payments."
- "Review financial red flag indicators of ransomware in the 'Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments' issued by FinCEN in October 2020."
Do you have any additional tips to share when it comes to building a robust defense strategy to deter ransomware attacks? Please share in the comments section below.
[RESOURCE] Are you looking for more thought-provoking information to take back to your organization about getting to the root of ransomware? Tune into the upcoming webcast, 5 Things You Should Know About Ransomware Before It's Too Late, and earn CPE credit.
View Alec Alvarado's full presentation, Ransomware in 2021: 31 Leak Sites, 2,600 Victims, available on demand.