U.S. financial institutions observed nearly $1.2 billion in costs associated with ransomware attacks in 2021, a nearly 200 percent increase over the previous year, according to data reported by banks to the U.S. Treasury Department and released in a report Tuesday.
The report comes amid an effort by the Biden administration to crack down on ransomware operators globally and illustrates the scale of the challenge facing law enforcement agencies and policymakers.
On Tuesday, the White House wrapped up a two-day ransomware summit, where participants agreed to stand up a voluntary International Counter Ransomware Task Force to serve as a base for coordinated disruption and threat sharing. The initiative, which will launch sometime early next year, will start with a fusion center operated out of Lithuania’s Regional Cyber Defense Center as a test case for a bigger information-sharing program.
The Treasury report that was first reported by CNN underscores that curbing ransomware represents a key challenge in Washington’s fractious relationship with Moscow. Of the top five ransomware variants reported during the second half of 2021, four are connected to Russia, Treasury’s Financial Crimes Enforcement Network, FinCEN, said in its report, while cautioning that it cannot definitively attribute the variants to Moscow.
The data released Tuesday represents suspicious transactions that American banks have flagged to U.S. regulators as potentially connected to ransomware, and, for that reason, experts caution that the data from the Treasury Department offers only a partial picture of the broader ransomware industry.
“The $1 billion plus reported as potential ransomware-related payments likely represents only the tip of the iceberg,” Brett Callow, a threat analyst at Emsisoft who follows ransomware developments closely, told CyberScoop Tuesday in an online chat.
FinCEN analyzed information reported under the Bank Secrecy Act by financial institutions, which are required to file Suspicious Activity Reports related to transactions potentially connected to illegal activity. The data is limited, however, and “is not a complete representation of all ransomware attacks or payments,” the agency noted. The dollar figures include extortion attempts, attempted transactions and payments that were unpaid, the agency said.
“FinCEN’s rules only impose reporting requirements on U.S. financial institutions, meaning payments by victims or financial institutions outside the U.S. are not included,” Callow said. “The report nonetheless provides an indication of the massive sums involved in the ransomware economy—which, of course, is why the ransomware problem will be so hard to solve. The cybercriminals are motivated by the potential to earn millions.”
Callow added that ransomware variants’ connections to Russia aren’t necessarily indicative of where attacks are coming from. A recent example is Sebastian Vachon-Desjardin, a Canadian man arrested in Quebec in January 2021 and sentenced in October to 20 years in U.S. prison for a series of ransomware attacks around the world as part of the NetWalker ransomware gang, which had its own connections to Russia.
Deputy Secretary of the Treasury Wally Adeyemo, who attended the White House ransomware summit, stressed the need for a global approach to the ransomware threat.
“We may approach the challenge of ransomware with a different lens — and in some cases, an entirely different set of tools — but we are all here because we know that ransomware remains a critical threat to victims across the globe and continues to be profitable for bad actors,” he said. “In fact, we know that hackers around the world consider conducting ransomware attacks the most profitable scheme on the internet. More profitable even than selling illegal drugs via dark net markets and stealing and selling stolen credit cards.”
Tackling the threat posed by ransomware turned into a major headache for the Biden administration after a pair of high-profile attacks in May 2021 — one targeting Colonial Pipeline that disrupted gas supplies to the Eastern Seaboard and another targeting meatpacker JBS. In response, the Biden administration has attempted to get more aggressive with ransomware groups by sanctioning cryptocurrency exchanges, seizing cryptocurrency proceeds from attacks and carrying out offensive operations against ransomware infrastructure.
Prior to the Russian invasion of Ukraine, U.S. officials attempted to bargain with the Kremlin to crack down on ransomware operators sheltered by Russian authorities. But in the aftermath of the Russian invasion, that diplomatic initiative appears to have hit the rocks.
In the wake of the Russian invasion of Ukraine, some prominent ransomware groups — such as Conti — fractured, but run-of-the-mill attacks on small and medium businesses by a range of ransomware groups continue at a prolific rate. Tuesday’s data from the U.S. government illustrates the financial incentives that keep these groups operating.
Tonya Riley contributed reporting to this article.