FinCEN Reports Ransomware Related SARs

Blog / FinCEN Reports Ransomware Related SARs

On October 15, 2021, the Financial Crimes Enforcement Network (FinCEN) published a document on ransomware trends based on data from Suspicious Activity Reports (SARs) submitted between January 1 and June 30, 2021. This report complies with the requirement of the Anti-Money Laundering Act of 2020, which requires FinCEN to provide "threat pattern and trend information" derived from SARs.


According to the research, ransomware-related SARs and the regularity with which they are filed have surged in the first six months of 2021 and have already eclipsed totals for the full calendar year of 2020. According to the research, the amount of ransomware-related SARs submitted monthly has climbed fast, with 635 SARs filed and 458 transactions recorded between January 1, 2021, and June 30, 2021.


According to the research, the overall value of suspicious activity reported in ransomware-related SARs within the first six months of 2021 was $590 million, which surpasses the amount recorded for the full year of 2020 ($416 million). Additionally, Bitcoin was the most often used ransomware means of payment.

The study was produced in conjunction with the distribution of an instructional pamphlet by the Treasury Department's Office of Foreign Assets Control to encourage sanctions compliance in the cryptocurrency business.

Trends in SAR Data and Ransomware

Ransomware is a sort of harmful software that infects users' files and locks them down until a ransom is paid to free them. The quantity and severity of ransomware assaults on vital US infrastructure are increasing. This year has witnessed a number of high-profile assaults, including those on the Colonial Pipeline, a vital East Coast gasoline supply, and JBS, one of the country's largest livestock providers. FinCEN's Analysis was provided in reply to an upsurge in ransomware attacks and in accordance with Section 6206 of the Anti-Money Laundering Act of 2020, which requires FinCEN to report threat patterns and trends information generated from financial institutions' SARs on a regular basis.

To identify trends, FinCEN evaluated ransomware-related SARs submitted between January 1, 2021, and June 30, 2021. During that time, there were 635 SARs, and 458 transactions involving ransomware were lodged. This was a 42 percent increase over 2020 when FinCEN received 487 SARs on transactions totaling $416 million. According to FinCEN, assuming present trends continue, SARs submitted in 2021 will have a larger ransomware-related transaction value than SARs reported in the preceding ten years combined.

According to FinCEN's Analysis, sixty-three percent of all ransomware-related SARs are submitted by Digital Forensic Incident Response ("DFIR") businesses. DFIR businesses negotiate and arrange ransomware payouts on victims' behalf by converting client fiat funds, recognizing legal cash to CVC, and then transmitting the funds to crime-operated accounts.

In reported transactions, FinCEN identified BTC as the most prevalent ransomware-related payment mechanism, with a slight rise in the usage of Monero. After receiving money, cybercrooks provide the decryption keys to the victim. On the other hand, some variations take the discussion to the next level and raise the payment demands even after the first payment, such as threatening to publicize the stolen data if subsequent payment is not made. The usage of Anonymity-Enhanced Cryptocurrencies ("ACEs") and other anonymizing services, such as email protected by The Onion Router, or Tor, was also emphasized by FinCEN.

FinCEN found at least six money laundering typologies associated with ransomware variations in 2021 based on an examination of ransomware-related SAR data:

  • Threat actors are increasingly asking for payment in AEC, like Monero, to conceal their identity.
  • Threat actors refrain from repeating wallet addresses.
  • As cash-out terminals, foreign centralized cryptocurrency exchanges are favored.
  • "Chain hopping," or the process of transforming one CVC into a new CVC at least once before transferring cash to another service or platform, is used to obscure financial traces on blockchains.
  • Mixing services, which are employed as a general privacy precaution or to conceal the transfer of funds gained via theft, darknet marketplaces, or other illegal acts, are common in 2021; and
  • Illicit profits are most likely being converted through decentralized exchanges.


What Can be Done?

Ransomware is a serious danger to the general public, the financial industry, and enterprises. Based on the facts in the Analysis, FinCEN advised businesses to concentrate on enhancing their detection and alert systems to prevent and defend against ransomware attacks, promptly report attacks to criminal justice, and submit associated SARs. Sanction Scanner's software program aids financial institutions throughout the fight against financial crimes. If you would like to learn about our program, you may contact us and request a demo.


You Might Also Like