Thursday, December 9

FinCEN: bitcoin is the most common payment method related to data hijacking

During the first half of the year, most of the digital payments related to data hijacking (ransomware), reported to the United States Office of Financial Crime Control (FinCEN), were executed with bitcoin (BTC), the leading cryptocurrency, which qualifies as the most common payment method for such illicit activities.

This is highlighted by the US regulatory body in its most recent report, entitled “Analysis of Financial Trends: Trends of ransomware in the data of the Bank Secrecy Act between January 2021 and June 2021”.

In the 17-page document posted on FinCEN’s website last week, they note that, of the USD 66.4 million that were traded in ransomware-related transactions on a monthly basis (from January to June), at least $ 45 million was sent in BTC.

They also highlight the cryptocurrency Monero (XMR), which is private or anonymous (AEC), and which was highly requested by criminals in that period. In fact, its use is on the rise compared to last year.

They indicate that 17 suspicious activity reports (SAR) were notified to FinCEN in the aforementioned period, where cybercriminals demanded payments in XMR, providing addresses of that cryptocurrency, as well as BTC.

According to FinCEN, total suspicious ransomware activity in the first six months of the year jumped to USD 590 million, higher than the USD 416 million registered last year.

All this is known because in the review period there were, in total, 635 SARs presented (and evaluated), thus 458 transactions reported, which is equivalent to 30% more than in 2020.

The trends depicted in this report illustrate the identification and reporting of ransomware events by financial institutions and may not reflect the actual dates associated with ransomware incidents.

United States Office of Financial Crime Control (FinCEN).

Shipping requests in monero (XMR) and bitcoin (BTC). Source: FinCEN

There was also identification inside the wallets

FinCEN was not left alone in cryptocurrencies. They identified at least 177 addresses of digital wallets, where they lived together top 10 ransomware variants.

They explained, earlier, that those who act with that program develop their own versions of the attack, known as “variants”, which are given new names based on changes in software or to denote the threat behind the malware.

They say that they identified 68 variants reported in SAR during the review period and that the most frequently reported were REvil, Sodinokibi, Conti, DarkSide, Avaddon and Phobos.

Returning to the wallets, they note that they had to carry out an analysis to determine the source of the funds that the victims used to pay the ransoms. They also clarify that not all money sent from identified wallet addresses it is definitely related to ransomware payments.

However, they do argue that wallets are associated with the top 10 variants examined and that sent BTC valued at $ 5.2 billion to known entities, directly or indirectly.

51% of those shipments went to exchanges, 43% to other convertible virtual currencies (CVC), 5% to the black market and 1% to mixed services.

These percentages identify transactions traced to known entities and may not represent final cash withdrawal locations after funds obfuscation.

United States Office of Financial Crime Control (FinCEN).

Data hijacking was generally done through TOR

Something to highlight from the FinCEN report is that they determine that the majority of victims communicated with criminals through The Onion Router (TOR), encrypted emails, unencrypted and unidentified web portals, provided by the attackers.

Number of ransomware-related transactions, January 2021 to June. Source: FinCEN.

Remember the government entity that TOR uses encryption to allow anonymous browsing as traffic moves within a network, and that those affected “primarily engaged with threat actors using a Tor website provided by the attackers to negotiate payment related to the ransomware.”

After negotiating the ransom amount, the victim made the payment in exchange for the decryption keys. Some variants required more negotiations and increasing demands for payment even after the initial payments were made.

United States Office of Financial Crime Control (FinCEN).

The US will sanction those who pay for ransoms

It is not the first time that the United States has intervened on the subject of data hijacking. In September, it became known that that country was establishing measures to sanction people and companies that pay ransoms in cryptocurrencies raised from these attacks.

As we reported in CriptoNoticias, the measure points to the possibility that the Joe Biden government prepares a group of actions against these attacks, including penalties for payments made.

And on the other side of the pond, in Spain, it is known that the government of that country has spent 2.1 million euros to address complaints related to ransomware, all as a result of the cyberattack suffered last June 9.

As we reported, the State has had to pay this sum to various companies that it has hired to investigate the attack and solve the technical problems derived from it.