This Week in AML

FinCEN Updates its Analysis of Ransomware Trends for Late 2021

The Financial Crime Enforcement Network (FinCEN) has issued its Ransomware Trends for the second half of 2021. John and Elliot look at the process that FinCEN used in its financial trend analysis and discuss some of the conclusions in the report, including that a significant number of ransomware attacks have some connection to actors in Russia.



FinCEN Updates its Analysis of Ransomware Trends for Late 2021 TRANSCRIPT


Elliot Berman: Hi, John. How are you today, 

John Byrne: Elliot? Doing fine. How are you? 

Elliot Berman: I'm good too. It's a gorgeous day here in the Midwest. It's almost 70 degrees, which is for the beginning of November is kind of a gift.

John Byrne: I bet. I bet. 

Elliot Berman: So, FinCEN actually has been pretty busy already this week, and we're recording earlier in the week than we usually do.

But one of the things that they published is their financial trend analysis about ransomware trends coming out of the Bank Secrecy Act data for the second half of 2021. So a year ago, in October of 2021, they published a similar analysis for the period of the first six months of 2021. And now, a year later, they've come out with the second half of the data.

Did you see that publication? 

John Byrne: Yeah, I did. And I thought it was obviously it's extremely current even though it was the second half of 2021. And a couple of things struck me. One is the acting director's comments that this obviously impacts national and economic security, but also the importance of the filing of suspicious activity reports because I think, as you and I were talking about offline, this is only one way in which ransomware gets reported.

So the fact that these filings have increased significantly is sort of part of the story. The other part is the amount that comes in through different vehicles. We don't know, but it's certainly consistent with what law enforcement has been talking about for quite a while, and ransomware, as we know, has such a devastating impact on companies if you're not prepared for them.

So, yeah, I did obviously did see that and was definitely struck by the dramatic increase in numbers. A good analysis. They have the dollar values in there, the number of incidents. And then, as the acting director said, how many of the activities are related to a nexus to Russia, which is of course, the main place in which ransomware emanates in the US.

Elliot Berman: Yeah, so. They talked about there being a million numbers in here, so I wanna make sure I pull the two I want that are meaningful. So they talked about 69% Russian-related ransomware variance accounting for 69% of the ransomware incident value. Right. But 75% of the incidents, so you know, that is a very strong tie.

They also talked about how they made the connection or how they determined that it was somehow Russia connected, and they pointed out that they used open-source resources. So I think that was a nice way to say they're not using anything from the intelligence community or, you know, the cyber command or any of those other government resources.

They're doing the same thing that you or I if we were probably a little smarter, could try to do just using the internet. So I thought that was interesting. And as you mentioned in our offline conversation, I wanna reiterate that this is coming out of the BSA data, which is essentially the SAR data.

So this is only coming from, you know, organizations that have an obligation. A SAR filing obligation is a lot. But there are many, many, many business corporations and hospitals who have been hit and, you know, education institutions and things like that, whose incidents are not in this information.

That doesn't mean that the government isn't aware of it and that some of that data might not be available, but it's not in this particular trend analysis. 

John Byrne: Right. And the average monthly. It is pretty eye-opening, 81 million. Medium is 80 million. Obviously, as they say, that's not anything, so there's quite a bit of lost dollars.

The full data, they say, consisted of a thousand filings reporting 750 million in ransomware. So like you say, it's not everything, but this is still quite a bit. And, you know, given the fact that it's only been fairly recently that SAR filers were looking for ransomware. I mean, obviously, institutions were, but SAR filers were not.

I think that that's important. The other thing, too, is they describe what ransomware is. Going back to malicious software. That we know in the cry of victims' files holds the data hostage until you pay the ransom. And a lot of that ransom they want now today is Bitcoin.

And there are also some recommendations toward the tail end of the report on what institutions will do if we can mention them in a minute. But what other things struck you?

Elliot Berman: Well, there are several graphs. I mean, again, it's trend analysis, so there are a lot of numbers, but they've graphed some of them.

And the one that at least caught my eye is the very first one, which is the number of ransomware-related BSA filings by filing an incident, that incident dates from 2011 to 2021. So, of course, in the early years, up through 2011 through 2015, there is just a handful. I mean, I think the whole thing doesn't add up to more than a hundred incidents.

But then you start to see some low to middle-three-digit numbers in 2016. They go down a little bit in 17 and 18 and even stay low in 19, and in 2020, they jump considerably. So 2020 compared to 2021 is double in terms of them based on the incident date. And then if you go to 2021, again, staying with, just to hold the numbers consistent, you go to 2021 over 2020 on the, using the incident date as the trigger.

You're talking almost three times as many. And so it's about seven times as many from 2021 going to 2019. So we're talking about a hockey stick-type curve here. And you can look at the numbers as numbers, but I think the graph was helpful to sort of emphasize the ramp-up. And there are other things, you know, there are quite a few graphs and charts.

Again, to grasp the problem, I think the magnitude of the problem they're very helpful. 

John Byrne: Yeah, and they also remind folks to look back at the FinCEN notice from November of last year on ransomware. Also, there are a lot of other places where a lot of other entities are involved in looking at these crimes.

Law enforcement in general, OFAC specifically if there's a connection to sanctions, of course, but there's also obviously the FBI. Cyber security and Infrastructure Security Agency, CISA. The Secret Service. They also indicate, besides going back to last year's statement from FinCEN, that there are others. CISA has a stop ransomware.gov website that's sort of a one-stop shop. And the National Institute of Standards of Technology has a data integrity section and many others too. But they give you a whole host of ways in which you can report cyber activity. Again, not just through FinCEN, but as we mentioned, CISA and OFAC FBI's Internet Crime Complaint Center.

So that's why I think it's not clear how much of all this information was put together from all those sources, but there are certainly a lot of places for our information technology experts in our community to respond to this.

Elliot Berman: Yeah. We will link to the report on our website.

So if you catch our podcast through our website or go to our website, if you listen to it on another source, the link will be there in the description of today's episode. But it's, you know, it's not a burdensome read, but I think it's a worthwhile read. It's a good refresher.

As you and I have talked many times, many of these guidance or issuance pieces can help with either in-depth or quick hit-type training, you know, to keep these issues top of mind with the right people. In our listener's organization. So definitely something worth taking a quick look at.

Today the White House hosted an international counter-ransomware initiative summit. And some of these same issues were talked about there. So 36 countries were represented. So this is clearly a global problem. No one country or one set of government agencies, or even one industry, is gonna solve this problem.

So, I'm sure that the release today of this document was timed to go along with the summit, but important to pay attention to these areas. But John, what else do you have coming up? 

John Byrne: So a couple of things. We just posted an interview that I did, Basel Governance Group, on the Basel AML Index for 2020. That's up on our site. We posted that on LinkedIn. On November 17th, we mentioned this before; we're doing a deep dive into various types of terrorist financing activity. And that's gonna be one o'clock Eastern. You can sign up for that on our website.

And then, I'm working on a. Potential webinar for December with a couple of individuals from the Organized Crime and Corruption Reporting Project. A very interesting investigative journalist group is working on a couple of things we want to highlight. So we are working on that now.

I'm fairly confident we will get their involvement. It's gonna have obviously something to do with corruption, which is what their main area of focus is. So more to come. 

Elliot Berman: Yes. And we'll keep you advised as the weeks unfold as to the topics of our upcoming webinars. John, there's no spoiler here, but we're actually pretty far along in planning our topics for 2023, and we'll continue to let you know about those as the months unfold.

So, John, anything else before we sign off?

John Byrne: Yes. Vote, vote, vote. Don't boo vote. So those of you that haven't voted early election days next week, November 8th. So do your duty and vote. 

Elliot Berman: Agreed. Okay. Good to talk to you. Have a great week, and we'll talk to you next week. 

John Byrne: Take care. 

Elliot Berman: Yep. Bye bye.