Ransomware-related Bank Secrecy Act (BSA) filings neared $1.2 billion in 2021, a 188 percent increase compared to $416 million in 2020, according to a Financial Crimes Enforcement Network (FinCEN) report released last week.
Ransomware-related BSA filings and incidents increased drastically in the second half of 2021, with 75 percent of ransomware activities connected to Russian cyber actors. FinCEN noted that while malware attribution is difficult, the variants were identified in open-source information as using Russian-language code.
"Ransomware trends are on the rise," Mona Harrington, CISA's assistant director for the National Risk Management Center, told GovCIO Media & Research. "Over the past year, we've seen an increase in sophisticated high-impact ransomware incidents against critical infrastructure. The ransomware tactics and techniques continue to evolve, which demonstrates ransomware threat actors are growing in technological sophistication and in an increased ransomware threat to not just a defined entity or area. It's extending well beyond borders and impacting global markets and communities."
The FinCEN analysis comes during the Second International Counter Ransomware Initiative (CRI) Summit held by the White House. The summit brought together 36 countries, the European Union and the industry partners to develop concrete steps to prevent the rapid spread of ransomware worldwide.
To continue the work, CRI members will establish an International Counter Ransomware task force led by Australia, create a fusion cell at the Regional Cyber Defense Center led by Lithuania, deliver an investigative toolkit and institute active private-sector participation.
"Ransomware is a global challenge that requires global cooperation to produce global solutions," White House National Security Advisor Jake Sullivan said at the CRI summit. "That's why, in fact, this coalition is the largest in the world in terms of a cybersecurity coalition and the most comprehensive, bringing together countries and companies from all regions of the globe to deter and disrupt these ransomware attacks."
The CRI members have committed to taking joint steps to prevent threat actors from being able to utilize the cryptocurrency ecosystem to collect payments; actively share information between the public and private sectors; hold a counter-illicit finance ransom workshop; and develop aligned frameworks and guidelines on how to prevent and respond to ransomware.
"This initiative and this issue [ransomware] is not just confined to cyberspace. It is not just confined to a particular challenge within cyberspace, but really is a hallmark of our national security approach as a whole," Sullivan said.
Phishing emails, Remote Desk Protocol (RDP) exploitation and exploitation of software vulnerabilities remain the top three initial infection vectors for ransomware incidents, according to Harrington. However, other trends, such as ransomware-as-a-service (RaaS), allow anyone to deploy ransomware successfully.
Double and triple extortion has been on the rise as well. Double extortion includes a combination of encryption and data theft to pressure victims to pay a ransom. In contrast, triple extortion allows cyber actors to publicly threaten victims to release stolen sensitive information, disrupt the victims' internet access, and inform the victims' partners, shareholders or suppliers about the hack.
"This past year, we've experienced some of these and saw firsthand the cascading impacts that it had on our communities and on individuals directly," Harrington said. "Going back to Colonial Pipeline … The hack was deemed a national security threat as the pipeline moves oil from refineries to industry markets, the shutdown affected consumers and airlines along the entire East Coast for several days."