i

F I N A N C I A L T R E N D A N A L Y S I S

Ransomware Trends in Bank Secrecy Act Data

Between January 2021 and June 2021

This Financial Trend Analysis focuses on ransomware pattern and trend information identified in Bank
Secrecy Act (BSA) data. This report is issued pursuant to Section 6206 of the Anti-Money Laundering
Act of 2020 (AMLA) which requires the Financial Crimes Enforcement Network (FinCEN) to
periodically publish threat pattern and trend information derived from financial institutions’
Suspicious Activity Reports (SARs).1 FinCEN issued government-wide priorities for anti-money
laundering and countering the financing of terrorism (AML/CFT) policy on 30 June 2021, which
included cybercrime as a government-wide priority. FinCEN highlighted ransomware as a particularly
acute cybercrime concern. The information contained in this report is relevant to the public, including
a wide range of businesses, industries, and critical infrastructure sectors. The report also highlights
the value of BSA information filed by regulated financial institutions.

Executive Summary: This Financial Trend Analysis is in response to the increase in number and
severity of ransomware attacks against U.S. critical infrastructure since late 2020. For example, in
May 2021, hackers used a ransomware attack to extort a multi-million dollar ransom, which also
disrupted the Colonial Pipeline and caused gasoline shortages. Other recent attacks have targeted
various sectors, including manufacturing, legal, insurance, health care, energy, education, and the
food supply chain in the United States and across the globe. As Treasury Secretary Janet L. Yellen
recently noted, “Ransomware and cyber-attacks are victimizing businesses large and small across
America and are a direct threat to our economy.”2

FinCEN analysis of ransomware-related SARs filed during the first half of 2021 indicates that
ransomware is an increasing threat to the U.S. financial sector, businesses, and the public. The
number of ransomware-related SARs filed monthly has grown rapidly, with 635 SARs filed and
458 transactions reported between 1 January 2021 and 30 June 2021 (“the review period”), up
30 percent from the total of 487 SARs filed for the entire 2020 calendar year.3 The total value of
suspicious activity reported in ransomware-related SARs during the first six months of 2021 was
$590 million, which exceeds the value reported for the entirety of 2020 ($416 million).

Trends represented in this report illustrate financial institutions’ identification and reporting of
ransomware events and may not reflect the actual dates associated with ransomware incidents.
FinCEN’s analysis of ransomware-related SARs highlights average ransomware payment amounts,
top ransomware variants, and insights from FinCEN’s blockchain analysis:

1. The AMLA was enacted as Division F, §§ 6001-6511, of the William M. (Mac) Thornberry National Defense
Authorization Act for Fiscal Year 2021, Pub. L. 116-283 (2021).
2. “Treasury Takes Robust Actions to Counter Ransomware,” U.S. Department of the Treasury, 21 Sept. 2021,
https://home.treasury.gov/news/press-releases/jy0364.
3. The 635 SARs filed during the review period include 458 SARs reporting transactions that occurred in the same
timeframe. The remaining 177 SARs report transactions that occurred prior to 2021.

1
 F I N A N C I A L T R E N D A N A L Y S I S

Average Monthly Suspicious Amount of Ransomware Transactions: According to data generated from
ransomware-related SARs, the mean average total monthly suspicious amount of ransomware
transactions was $66.4 million and the median average was $45 million. FinCEN identified bitcoin
(BTC) as the most common ransomware-related payment method in reported transactions.

Top Ransomware Variants: Ransomware actors develop their own versions of ransomware, known as
“variants,” and these versions are given new names based on a change to software or to denote a
particular threat actor behind the malware. FinCEN identified 68 ransomware variants reported in
SAR data for transactions during the review period. The most commonly reported variants were
REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos.

Insights from Blockchain Analysis: FinCEN identified and analyzed 177 unique convertible virtual
currency (CVC) wallet addresses used for ransomware-related payments associated with the 10
most commonly reported ransomware variants in SARs during the review period.4 Based on
blockchain analysis of identifiable transactions with the 177 CVC wallet addresses, FinCEN identified
approximately $5.2 billion in outgoing BTC transactions potentially tied to ransomware payments.

FinCEN Identified Ransomware Money Laundering Typologies: FinCEN identified several money
laundering typologies common among ransomware variants in 2021 including threat actors
increasingly requesting payments in Anonymity-enhanced Cryptocurrencies (AECs) and avoiding
reusing wallet addresses, “chain hopping” and cashing out at centralized exchanges, and using
mixing services and decentralized exchanges to convert proceeds.

Scope and Methodology: FinCEN examined ransomware-related SARs filed between 1 January
2021 and 30 June 2021 to determine trends. The full data set consisted of 635 SARs reporting $590
million in suspicious activity. Of the 635 SARs filed during the review period, 458 report actual
transactions that occurred during the review period worth $398 million. The remaining 177 SARs
report transactions that occurred before 1 January 2021.5 FinCEN reviewed and verified each
SAR to remove any suspicious activity amount unrelated to ransomware and to extract relevant
indicators of compromise (IOCs).6 From this data, FinCEN identified the top 10 most common
ransomware variants and analyzed their IOCs through commercially available analytics tools.
This analysis allowed FinCEN to chart the flow of ransomware payments in BTC to identify which
CVC exchanges and services ransomware actors used to launder their proceeds. USD figures
cited in this analysis are based on the value of BTC when the transactions occurred. FinCEN
also compared data gathered for 2021 to SAR data gathered in previous years in order to track
ransomware trends. This data set consisted of 2,184 SARs reflecting $1.56 billion in suspicious
activity filed between 1 January 2011 and 30 June 2021.

4. CVC wallet addresses are alphanumeric public keys that store value and can be accessed using a password or “private
key.” Wallets are software used to organize multiple wallet addresses and their associate private keys.
5. The data in this report consists only of information received through BSA reporting and is not a complete
representation of all ransomware attacks or payments during the review period.
6. IOCs are signatures or artifacts observed on a network that likely indicate computer or network intrusion.

2
 F I N A N C I A L T R E N D A N A L Y S I S

What is Ransomware?

Ransomware is malicious software that encrypts a victim’s files and holds the data hostage until
a ransom is paid. In the last two years, ransomware actors have shifted from a high-volume
opportunistic approach to a more selective methodology in choosing victims, targeting larger
enterprises, and demanding bigger payouts to maximize their return on investment. Some
ransomware actors have diversified their revenue streams using a ransomware-as-a-service
(RaaS) business model in which ransomware creators sell user-friendly ransomware kits on the
Dark Web or outsource ransomware distribution to affiliates in exchange for a percentage of
the ransom. This lowers the technical expertise needed to carry out an attack. The transition to
remote and online work in response to COVID-19 has also exacerbated risks and vulnerabilities
of businesses to cyber attacks such as ransomware. Attacks on small municipalities and
healthcare organizations have also increased, typically due to perceived weaker security
controls and higher propensity of these victims to pay the ransom because of the criticality of
their services, particularly during a global health pandemic. Additionally, since at least late
2019, ransomware groups have adopted new extortion tactics to maximize revenue and create
an additional incentive for victims to pay. In one such tactic, known as “double extortion,”
ransomware operators exfiltrate massive amounts of a victim’s data encrypting it and then
threaten to publish the stolen data if ransom demands are not met.7 Lastly, ransomware
attackers are finding new ways to obfuscate their identities by requesting payment in AECs.8

Ransomware Filings in First Six Months of 2021 Exceed 2020 Total

The total U.S. dollar value for ransomware-related transactions reported in SARs filed during
the review period exceeds that of any previous year since 2011. In the first six months of 2021,
FinCEN identified $590 million in ransomware-related SARs, a 42 percent increase compared to a
total of $416 million for all of 2020 (see Figures 1 and 2).9 10 If current trends continue, SARs filed
in 2021 are projected to have a higher ransomware-related transaction value than SARs filed in the
previous 10 years combined, which would represent a continuing trend of substantial increases
in reported year-over-year ransomware activity. This trend potentially reflects the increasing
overall prevalence of ransomware-related incidents as well as improved detection and reporting
of incidents by covered financial institutions, which may also be related to increased awareness of
reporting obligations pertaining to ransomware and willingness to report.

7. “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments,” FinCEN Advisory
#FIN-2020-A006, 1 Oct. 2020, https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory Ransomware
FINAL 508.pdf.
8. As noted in FinCEN’s 2020 Advisory on Ransomware, AECs reduce the transparency of CVC financial flows,
including ransomware payments, through anonymizing features, such as mixing and cryptographic enhancements.
9. Data in Figures 1 and 2 differ slightly between filing date and transaction date, as the filing date can denote
ransomware events that occurred outside the timeframe covered in this report. Filing date reflects financial
institutions’ detection and compliance, whereas transaction date reflects the actual date of payments associated with
incidents.
10. This includes ransomware-related transactions reported in SARs and does not include additional ransomware-related
transactions identified by FinCEN’s blockchain analysis.

3
 F I N A N C I A L T R E N D A N A L Y S I S

FinCEN and Treasury’s Office of Foreign Assets Control (OFAC) have released ransomware-
related advisories that, among other things, seek to promote reporting of ransomware-related
incidents.11 12 13 In the same month, the G7 released a ransomware annex to a statement on digital
assets that emphasized the importance of implementation of international anti-money laundering
and countering the financing of terrorism standards to counter ransomware-related money
laundering.14 Following the publication of these advisories, on 12 November 2020, FinCEN held
a virtual FinCEN Exchange focused on the growing concern with ransomware-related events and
efforts to combat the issue. This exchange included representatives from financial institutions,
technology firms, digital forensic incident response (DFIR) firms, virtual asset service providers
(VASPs), and federal government agencies.15 Following Treasury’s fall 2020 efforts to draw
attention to ransomware and potential associated reporting obligations, FinCEN observed a notable
increase in filings during the last quarter of 2020, which contributed to the overall rise in 2020
filings (see Figure 1). For example, during the first six months of 2021, of the 458 ransomware-
related transactions, 335 SARs referenced the key term “CYBER-FIN-2020-A006” from FinCEN’s
October 2020 ransomware advisory.FinCEN16 Financial Trend Analysis

Figure 1. Number
Figure 1.of Ransomware-Related
Number of Ransomware-Related SARs and
SARs and Transactions,
Transactions, 2011
2011 to June 202117to June 202117

700 635
602
600
487
458
Number of SARs

500 431
400 360
300 243 Transaction Date
218 217 198 216
200 181 Filing Date
74
100 24 9 38 60
2 0 8 0 19
0
2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
Year

Figure 2. Total Suspicious Amount from Ransomware-Related SARs and Transactions,

2011 to June 202118
11. See footnote seven.
700
12. “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” 590 U.S. Department of the Treasury
Advisory, 1 Oct. 2020,600https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf.
527
13. On 21 September 2021,500OFAC updated its ransomware-related advisory to encourage reporting and cyber resilience,
416 398
USD (Millions)

“Updated Advisory on400Potential Sanctions Risks for Facilitating Ransomware Payments,” U.S. Department of the
Treasury Advisory, 21 Sept. 2021, https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf.
281
300 Transaction Date
14. “Ransomware Annex to G7 Statement,” G7 Finance Ministers and Central 252 Bank Governors, 13 Oct 2020,
181 Filing Date
https://home.treasury.gov/system/files/136/G7-Ransomware-Annex-10132020_Final.pdf.
200
152 119
102
15. “FinCEN Holds Virtual 100FinCEN Exchange on Ransomware,” 54 38
Financial
56 Crimes Enforcement Network Press Release,
35 20
12 Nov. 2020, https://www.fincen.gov/news/news-releases/fincen-holds-virtual-fincen-exchange-ransomware.
10 0 0.4 0
0.4
11 2.5
0
16. A number of the 335 SARs 2011 appeared to reference
2012 2013 2014 2015FinCEN’s
2016 2017 2020
2018 Advisory
2019 2020 on Ransomware and noted “CYBER-FIN-
2021
2021-A006,” which FinCEN assesses to be a typographical Year error referring to “CYBER-FIN-2020-A006.”
17. 2021 figures report transaction dates during the review period. Transaction date data include SARs filed in July 2021
with a transaction date before July 2021. FinCEN assessed SARs filed between 1 January 2020 and 31 July 2021 for
accuracy, duplication, and false positives using both the narrative and the note to FinCEN field on SAR forms. Data
from SARs filed between 1 January 2011 and 31 December 2019 reflect reports that contain “ransomware” in the
17 Figures for 2021 are from 1 January 2021 to 30 June 2021. Transaction date data include SARs filed in
narrative.
July 2021 with a transaction date before July 2021. FinCEN assessed SARs filed between 1 January 2020
and 31 July 2021 for accuracy, duplication, and false positives using both the narrative and the note to
FinCEN field on SAR forms. Data from SARs filed between 1 January 2011 and 31 December 2019 reflect
reports that contain “ransomware” in the narrative. 4
18 Figures for 2021 are from 1 January 2021 to 30 June 2021. Transaction date data includes SARs filed in
 100 24 9 38 60
2 0 8 0 19
0
2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
Year
F I N A N C I A L T R E N D A N A L Y S I S

Figure 2. Total Suspicious

Figure Amount
2. Total Suspicious from
Amount fromRansomware-Related SARs
Ransomware-Related SARs and and Transactions,
Transactions,
2011 to June 2021
2011 to June 202118 18

700
590
600
527
500
416 398
USD (Millions)

400
281 Transaction Date
300
252
181 Filing Date
200
152 119
102
100 54 38 56
10 0 0.4 0 35 112.5 20
0.4
0
2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
Year

Reported Ransomware-Related FinCEN Financial Transactions

Trend Analysis Substantially
Increased from 2020
Figures for 2021 are from 1 January 2021 to 30 June 2021. Transaction date data include SARs filed in
17

July 2021 with a transaction date before July 2021. FinCEN assessed SARs filed between 1 January 2020
Reported Ransomware-Related Transactions Substantially Increased
and 31 July 2021 for accuracy, duplication, and false positives using both the narrative and the note to
The number of ransomware-related
from
FinCEN2020 SAR
field on SAR forms. Data fromfilings
SARs filedfluctuated
between 1 Januaryin2011
theandfirst quarter
31 December 2019of 2021 before
reflect
stabilizing in the The number
second
reports of ransomware-related
quarter
that contain
Figures for
“ransomware” in theSAR
of1 2021. Due filings
to
narrative. fluctuated in
lookback the first
SARs quarter of 2021
reporting before
ransomware attacks over
stabilizing
18
in2021
the are from quarter
second Januaryof
2021 to 30Due
2021. Juneto
2021. Transaction
lookback SARsdate data includes
reporting SARs filed in
ransomware
the course of the attacks
preceding
July 2021 withthe
over six months,
a transaction
course ofdate January
before July 2021.
the preceding 2021
FinCENsaw
six months, a SARs
assessed
January sharp sawincrease
2021 filed between in the
a sharp 1increase
January in number of SARs
2020
and 31 July 2021 for accuracy, duplication, and false positives. Data from SARs filed between 1 January
filed. SAR data reports
the number a of
mean average
SARs filed. of 76
SAR data anda mean
reports a median
average average of 73.5average
of 76 and a median
2011 and 31 December 2019 reflect reports that contain “ransomware” in the narrative.
ransomware-related
of
73.5 ransomware-related transactions per month between 1 January 2021 and 30 June 2021
transactions per month during the review period (see Figure 3). The median average
October 2021 6 payment
(see Figure 3). The median average payment amount for ransomware-related transactions
amount for ransomware-related
between 1 January 2021 transactions
and 30 June 2021during the areview
was $102,273, period
slight increase fromwas $102,273, a slight
the median
increase from the median average payment amount of $100,000 for transactions
average payment amount of $100,000 for transactions between 1 January 2020 and 30 Junebetween 1 January
2020, according to SAR data (see Figure 4).19 SARs report that19between 1 January 2021 and
2020 and 30 June 302020, according to SAR data (see Figure 4). SARs report that during the review
June 2021 the vast majority of ransomware-related payments were for less than $250,000
period the vast majority
(see Figureof 5). ransomware-related payments were for less than $250,000 (see Figure 5).

Figure 3. of
Figure 3. Number Number of Ransomware-Related Transactions,
Ransomware-Related Transactions,JanuaryJanuary
2021 to June 2021 to June 202120
2021
20

200
172

150
Number of SARs

109 103
90 90 92
100 84 84 78
69 Transaction Date
61 57
50 Filing Date

0
January February March April May June
Month (2021)

18. 2021 figures report transaction dates during the review period. Transaction date data includes SARs filed in July 2021
with a transaction date before July 2021. FinCEN assessed SARs filed between 1 January 2020 and 31 July 2021 for
accuracy, duplication, and false positives. Data from SARs filed between 1 January 2011 and 31 December 2019 reflect
reports that contain “ransomware” in the narrative.
19. Ransomware-related payment amounts vary greatly from as little as $1 to as much as $45 million in 2021. To reduce
the effect of outliers only the median average is reported for this data set.
20. Eighty-three of the 172 SARs filed in January 2021 are lookback filings that report transactions that occurred before
December 2020.
19Ransomware-related payment amounts vary greatly 5from as little as $1 to as much as $45 million in
2021. To reduce the effect of outliers only the median average is reported for this data set.
 F I N AFinCEN
N C I AFinancial
L T R E Trend
N D Analysis
A N A L Y S I S

Figure 4. Total
Figure
Figure 4. TotalSuspicious
4. Total Suspicious Amount
Suspicious Amount
Amount of of Ransomware-Related
of Ransomware-Related
Ransomware-Related Transactions,
Transactions, January
Transactions, January 2021 to
2021 to
June 2021
January 2021 to June 2021
June 2021 21
21 21

200
200
181.5 181.4
181.5 181.4

150
150
USD (Millions) 117.4
117.4
94.1
94.1 90.1
90.1
100
100
64.8 Transaction Date
Transaction Date
58.6 64.8
58.6
44.2 51.2
51.2
50
50 38.8 44.2
38.8 38.8
38.8 Filing Date
Filing Date
29.5
29.5

00
January
January February
February March
March April
April May
May June
June
Month (2021)
Month (2021)

Figure 5. Ransomware-Related
Figure 5.
Figure Ransomware-RelatedPayments
5. Ransomware-Related Payments by
Payments by Value,
by Value,
Value, JanuaryJanuary
January 2021 to
2021 2021
to June
June 2021 to June 2021
2021

70
70
60
60
Number of Payments

50
50
40
40
30
30
20
20
10
10
00
January
January February
February March
March April
April May
May June
June
Transaction Date
Transaction Date (2021)
(2021)
0-250k
0-250k 251k-500k
251k-500k 501k-1m
501k-1m 1.1m-5m
1.1m-5m 5m+
5m+
Value of
Value of Individual
Individual Payment
Payment (USD)
(USD)

68 Variants 68
Identified, Variant 1 Most Prevalent
Variants Identified, Variant 1 Most Prevalent
Ransomware Variants:
Ransomware Variants: FinCEN
FinCEN identified
identified 68
68 ransomware
ransomware variants
variants reported
reported in
in SAR
SAR data
data
Ransomware Variants:
for FinCEN
for transactions
transactions identified
between
between 11 January 68 ransomware
January 2021
2021 and 30
and 30 June 2021. variants
June 2021. Ransomware
Ransomware reported in SAR data for
variant analysis
variant analysis
can
can help
help determine
determine potential
potential threat
threat actors
actors behind
behind an
an attack.
attack.
transactions during the review period. Ransomware variant analysis can help determine Ninety
Ninety SARs
SARs did
did not
not name
name the
the potential
ransomware variant
ransomware variant used
used inin the
the attack,
attack, and
and some
some SARs
SARs reported
reported multiple
multiple incidents
incidents
threat actors behind an attack.
involving
involving more thanNinety
more than one variant.
one SARs
variant. did6,6, 7,not
Figures
Figures andname
7, and depictthe
88 depict ransomware
the suspicious
the suspicious amounts,
amounts, variant used in the
attack, and some SARs reported multiple incidents involving more than one variant. Figures 6, 7,
and 8 depict the suspicious amounts, number, and value of transactions for the 10 variants with the
highest payment amounts
The sharp
The 21
21
andininhighest
sharp increase
increase total number
total suspicious
suspicious amount ofMarch
amount for
for incidents
March intwo
2021 reflects
2021 reflects SARs.
two 22 SARs,
high-value
high-value SARs, and
and aa
single lookback
single lookback SAR
SAR reporting
reporting multiple
multiple ransom
ransom payments
payments over
over the
the course
course of
of aa year
year that
that account
account for
for
approximately 25
approximately 25 percent
percent of
of the
the March
March total.
total.
The top 10 variants with the highest cumulative payment amounts identified in SARs during the
review period accounted for $217.56 million in suspicious activity (see Figure 6).
October 2021
October 2021 88 The highest
total suspicious payment amounts for individual variants reported in SARs range from $30 to $76
million. Monthly suspicious payment amounts reported in SARs for the top 10 variants range from
$3,095 to $43.06 million with a median average of $27 million and mean average of $36.26 million.
In June 2021, the highest cumulative suspicious payment amounts were associated with Variant 1
($11.78 million) and Variant 2 ($8.53 million), according to SAR data.

21. The sharp increase in total suspicious amount for March 2021 reflects two high-value SARs, and a single lookback
SAR reporting multiple ransom payments over the course of a year that account for approximately 25 percent of the
March total.
22. Actual variant names are redacted for operational security purposes.

6
 activity (see Figure 6). The highest total suspicious payment amounts for individual
variants reported in SARs range from $30 to $76 million. Monthly suspicious payment
amounts reported in SARs for the top 10 variants range from $3,095 to $43.06 million with a
median average of $27 million and mean average of $36.26 million. In June 2021, the
highestFcumulative
I N A suspicious
N C I A L Tamounts
payment R E N Dassociated
were A N with
A LVariant
Y S1 I($11.78
S
million) and Variant 2 ($8.53 million), according to SAR data.

Figure 6. Top Ransomware VariantsVariants

Figure 6. Top Ransomware by Suspicious
by SuspiciousPayment Amount
Payment Amount with Transaction Dates
with Transaction
Between January 2021 and June 2021
Dates Between January 2021 and June 2021

100

80

USD (Millions) 60

40

20

0
Jan Feb Mar Apr May Jun
Month (2021)

Variant 1 Variant 2 Variant 3 Variant 7 Variant 9

Variant 11 Variant 12 Variant 13 Variant 14 Variant 15

FinCEN identified 242 SARs filed on the top 10 most frequently reported variants with
FinCEN identifiedtransaction
242 SARs filed
dates on1the
between top2021
January 10 and
most frequently
30 June reported
2021 (see Figure 7). Thesevariants
SARs mostwith transaction
dates during the review
frequentlyperiod (see 1Figure
report Variant 7). followed
(64 reports), Theseby SARs
Variantmost frequently
2 (42 reports) report
and Variant 3 (32 Variant 1 (64
reports). The number of monthly SARs for the top 10 variants range from 0 to 22 reports.
reports), followed by Variant 2 (42 reports) and Variant 3 (32 reports). The number of monthly
In June 2021, SARs most frequently reported Variant 2 (18 reports) and Variant 1 (six
SARs for the top 10 variants range from 0 to 22 reports. In June 2021, SARs most frequently
reports).
reported Variant 2 (18 reports) FinCEN
and Variant Financial Trend Analysis
1 (six reports).

Figure 7. Top Ransomware

Figure Variants
7. Top Ransomware by
Variants by Number of SARs
Number of SARs with Transaction
with Transaction Dates Dates
Between January
Between January 2021 and
2021 and JuneJune
2021 2021

60

50
22 Actual variant names are redacted for operational security purposes.
Number of SARs

40 2021
October 9
30

20

10

0
Jan Feb Mar Apr May Jun
Month (2021)

Variant 1 Variant 2 Variant 3 Variant 4 Variant 5

Variant 6 Variant 7 Variant 8 Variant 9 Variant 10

FinCEN analysis of reported ransomware-related transactions between 1 January 2021 and

FinCEN analysis of reported
30 June ransomware-related
2021 determined that Variant 1 had thetransactions
highest number of during
incidentsthe
(64),review
Variant 3 period
had the highest total dollar value of transactions ($75.8 million), and Variant 2 had the
determined that Variant 1 had the highest number of incidents (64), Variant 3 had the highest
total
highest median average incident value ($353,800) for known variants (see Figure 8).23
dollar value of transactions ($75.8 million), and Variant 2 had the highest median average incident
value ($353,800) for known variants (see Figure 8).23

23. The data in this report consists only of information received through BSA reporting and is not a complete
representation of all ransomware attacks or payments during the review period.

7
 F I N A N C I A L T R E N D A N A L Y S I S

Figure 8. Ransomware Variants by Number and Value of Transactions with Transaction Dates
Between January 2021 and June 202124

Number of Total Dollar Value Median Average

Ransomware Variant
Incidents of Incidents Incident Value25

Variant 1 64 ~$30.7 million ~$177,800

Variant 2 42 ~$25.3 million ~$353,800

Variant 3 32 ~$75.8 million ~$200,000

Variant 4 25 ~$2.8 million ~$73,900

Variant 5 15 ~$800,000 ~$70,000

Variant 6 13 ~$1.4 million ~$75,600

Variant 7 14 ~$7 million ~$300,000

Variant 8 15 ~$3.7 million ~$176,000

Variant 9 10 ~$3.7 million ~$140,000

Variant 10 12 ~$1.3 million ~$125,000

Total 242 ~$152.5 million ~$148,400

Digital Forensic Incident Response Firms File Majority of

Ransomware-Related SARs
During the review period, U.S.-based DFIR firms submitted the majority of ransomware-related
SARs, or approximately 63 percent of ransomware-related SARs (see Figure 9).26 In addition,
depository institutions and CVC exchanges submitted over a third of SARs at 17 percent and 19
percent of SARs, respectively. Other institutions including broker-dealers, an insurance company,
and casinos submitted less than 10 percent of the total SARs.

24. SARs report 90 transactions with a total value of $143.8 million and a median average incident value of $102,273
related to unknown variants.
25. To reduce the effect of outliers only the median average is reported for this data set.
26. As noted in FinCEN’s 2020 Advisory on Ransomware, DFIR companies help victims respond to cyber-attacks
and may facilitate ransomware payments to cybercriminals by converting customer fiat funds to CVC and then
transferring the funds to criminal controlled accounts.

8
 FinCEN Financial
F I N A N C I A L
Trend Analysis
T R E N D A N A L Y S I S
Figure 9. Ransomware-Related Transactions by Institution Type, January 2021 to June
Figure 9. Ransomware-Related Transactions 2021
by 27Institution Type, January 2021 to June 202127
80%

Percent of Filings per Month

70%
60%
50% CVC Exchanges
40%
DFIR
30%
20% Other
10% Dep. Inst.
0%
January February March April May June
Month (2021)

A small number ofADFIR firmsofsubmitted

small number ransomware-related
DFIR firms submitted SARs
ransomware-related SARs forfor transactions conducted
transactions
conducted between 1 January 2021 and 30 June 2021. These DFIR firms filed 290
during the reviewransomware-related
period. TheseSARs. DFIR28 firms filed 290 ransomware-related SARs.
28

Majority of Reported Ransomware-Related Payments in Bitcoin

Majority of Reported Ransomware-Related Payments in Bitcoin
FinCEN identified BTC as the most common ransomware-related payment method in
FinCEN identifiedreported
BTC as the mostFinCEN
transactions. common ransomware-related
also observed payment
that incidents requesting method
Monero (XMR), an in reported
AEC, is on track to increase slightly compared to 2020.
transactions. FinCEN also observed that incidents requesting Monero (XMR), an AEC, is on track
to increase slightlyRansomware-Related
compared to 2020. Payment Methods: Of the SARs reporting ransomware-related
payments between 1 January 2021 and 30 June 2021 that identified a specific CVC, the vast
Ransomware-Related Payment
majority Methods:
reported payments made inOf the
BTC. SARs reporting ransomware-related payments
29 Sixty-four SARs that report a ransomware-

related payment did not identify a specific CVC. While there are thousands of CVCs in the
during the reviewmarket,
period that identified a specific CVC, the vast majority reported payments
the SAR data only noted attackers requested BTC and XMR as methods for
made in BTC. Sixty-four
29
SARspayment
ransomware-related that report a ransomware-related
during the observed timeframe. payment did not identify
a specific CVC. While there are thousands of CVCs in the market, the SAR data only noted
attackers requested BTC and XMR as methods for ransomware-related payment during the
observed timeframe.

Monero Ransomware-Related
The “CVC” categoryRequests:
27 FinCEN
includes CVC kiosks. identified
The “Other” 17 ransomware-related
category includes casinos, securities broker- SARs during
dealers, wealth management firms, and insurance companies.
the review period requesting payment in XMR (see Figure 10). In some instances, the attacker
FinCEN identified a small number of DFIR firms that purport to negotiate on behalf of victims in SAR
28

provided both an XMR and a not

data. FinCEN does BTC haveaddress,
information onand imposed
the total an firms
number of DFIR extra that fee
exist. if payment was made in
As noted in FinCEN’s 2020 Advisory on Ransomware, cybercriminals usually require ransomware
29

BTC. In other instances,

payments tothey exclusively
be denominated requested
in CVCs, most commonly inpayment
BTC. However, intheyXMR,
are also but accepted payment in
increasingly
BTC after negotiation.
requiring or incentivizing victims to pay in AECs that reduce the transparency of CVC financial flows,
including ransomware payments, through anonymizing features, such as mixing and cryptographic
enhancements.
October 2021 12

27. The “CVC” category includes CVC kiosks. The “Other” category includes casinos, securities broker-dealers, wealth
management firms, and insurance companies.
28. FinCEN identified a small number of DFIR firms that purport to negotiate on behalf of victims in SAR data. FinCEN
does not have information on the total number of DFIR firms that exist.
29. As noted in FinCEN’s 2020 Advisory on Ransomware, cybercriminals usually require ransomware payments to
be denominated in CVCs, most commonly in BTC. However, they are also increasingly requiring or incentivizing
victims to pay in AECs that reduce the transparency of CVC financial flows, including ransomware payments,
through anonymizing features, such as mixing and cryptographic enhancements.

9
 F I N A N C I A L T R E N D A N A L Y S I S

Figure 10. Monero (XMR) Ransomware-Related Requests,

January 2021 to June 2021

Number of Value of Total Payments

Circumstance of Request
Payments (USD)

Attacker provided both XMR and BTC 7 ~$34 million

wallet addresses

Attacker requested only XMR 7 ~$2.4 million

Other30 3 ~$500,000

Total 17 ~$37 million

Communication via The Onion Router and Email Systems

Victims typically communicated with the threat actors via The Onion Router (Tor), encrypted
email, non-encrypted email, and unidentified web portals provided by the attackers, according
to SAR data. Tor employs encryption to allow for anonymous browsing as traffic moves within a
network. The victims, or DFIR firms representing them, primarily engaged with the threat actors
using a Tor website provided by the attackers to negotiate the ransomware-related payment,
according to SAR data (see Figure 11). After negotiating the ransom amount, the DFIR firm or
victim would make payment in exchange for decryption keys. Some variants required further
negotiation and escalating payment demands even after initial payments were made.

Figure 11. Ransomware-Related Payments by Communication Method,

January 2021 to June 2021

Communication Method Number of Transactions Transaction Value

Tor 192 ~$165.6 million

Email 111 ~$41.5 million

Other31 10 ~$2.5 million

Unknown 145 ~188.4 million

Total 458 ~$398 million

30. FinCEN identified three ransomware-related SARs mentioning Monero as a potential payment method, but did not
explicitly state whether Monero was the exclusive payment method requested.
31. “Other” includes communication methods such as web portals and communication platforms not explicitly stated in
SARs.

10
 F I N A N C I A L T R E N D A N A L Y S I S

177 Unique Wallet Addresses Identified for Top 10 Ransomware

Variants
FinCEN identified 177 unique wallet addresses used for ransomware-related payments by the top
10 most common ransomware variants reported in SARs during the review period (see Appendix
1 for detailed information on each variant).32 FinCEN conducted analysis using commercially
available analytics tools to determine the source of funds victims used to pay ransoms and the
overall BTC sent from these threat actor wallet addresses to known entities. Not all of the funds
sent from these wallet addresses are definitively related to ransomware payments; however, all
of the exchanges and services identified below were at a minimum a direct counterparty to wallet
addresses that received ransomware-related payments (see Figure 13).

Wallets associated with the 10 variants examined sent BTC valued at $5.2 billion to known entities,
directly or indirectly, including 51 percent to exchanges, 43 percent to other CVC services, five
percent to darknet marketplaces, and one percent to mixing services.33 34 35 These percentages
identify transactions traced to known entities and may not represent the final cash out locations
after obfuscation of funds. While the total in Figure 13 indicates the 10 variants sent one percent of
all funds to mixing services, this percentage varies when broken down by variant (see Appendix 1).
The totals in Figure 13 include 177 wallet addresses identified in SARs and approximately 423,000
wallet addresses assessed to be associated with the relevant ransomware variants by commercially
available analytics tools.36 FinCEN Financial Trend Analysis
Figure 13. Top 10 Ransomware Variant Transactions with Known Entities

32. Ransomware-Related
Most of the 458 SARs FinCEN examined Money did not Laundering Typologies
report the attacker’s wallet address.
33. Victims predominantly sourced funds from U.S.-registered exchanges.
FinCEN identified at least six money laundering typologies attributed to ransomware
34. “Other” includesvariants
unidentified
in 2021 CVC services,
by analyzing as well as unspent
ransomware-related and
SARs, untracedblockchain
conducting CVC. analysis,
35. Direct transactions
andare funds sent
leveraging fromobservations
industry one party andto another
outreach.without intermediaries.
For example, participants inIndirect transactions are funds
this year’s
sent from one party to one
FinCEN or more
Exchange on intermediary wallet address
ransomware separately before
substantiated theobservations
these first encountered service.
citing their
36. FinCEN identified own analysis
177 walletofaddresses
ransomware activity.37 with the 10 ransomware variants in SAR data and a total of
associated
422,895 wallet addresses associated with the ransomware variants using commercially available analytics tools.
This difference isThreat Actors
likely due Increasingly Request
to underreporting Payments
of ransomware in AECsNot all of the funds sent from these wallet
incidents.
addresses are definitively relatedoftoransomware-related
FinCEN’s analysis ransomware payments; however,
SARs found all of the exchanges
ransomware-related paymentsand are services identified in
Figure 13 were atoften
a minimum a direct counterparty to wallet addresses that received ransomware-related
initially requested in BTC, though threat actors may request payments in AECs, most payments.
commonly, XMR. FinCEN observed a 10 to 20 percent surcharge or discount for victims
paying in BTC, and, on some occasions, threat actors exclusively requested payment in
XMR. 11
 F I N A N C I A L T R E N D A N A L Y S I S

Ransomware-Related Money Laundering Typologies

FinCEN identified at least six money laundering typologies attributed to ransomware variants in 2021
by analyzing ransomware-related SARs, conducting blockchain analysis, and leveraging industry
observations and outreach. For example, participants in this year’s FinCEN Exchange on ransomware
separately substantiated these observations citing their own analysis of ransomware activity.37

Threat Actors Increasingly Request Payments in AECs

FinCEN’s analysis of ransomware-related SARs found ransomware-related payments are often
initially requested in BTC, though threat actors may request payments in AECs, most commonly
XMR. FinCEN observed a 10 to 20 percent surcharge or discount for victims paying in BTC, and,
on some occasions, threat actors exclusively requested payment in XMR.

Threat Actors Avoided Reusing Wallet Addresses

After receiving illicit funds from a victim, ransomware actors layered funds through multiple
wallet addresses and avoided reusing wallet addresses for each attack, according to SAR data.
Threat actors laundered the payments from each ransomware event separately, to minimize
consolidation into single wallet addresses.

Centralized CVC Exchanges are Preferred Cash-out Points

Threat actors identified from SARs primarily use foreign centralized exchanges for ransomware-
related deposits, including exchanges incorporated in high-risk jurisdictions that may have
opaque ownership structures or that may have inadequate AML/CFT compliance standards.
This observation is also corroborated by commercial blockchain analytic companies that note the
use of exchanges incorporated in jurisdictions that may not enforce know your customer (KYC)
requirements or require the reporting of suspicious transactions.38 Non-compliant centralized
exchanges are possibly a key step in the layering and obfuscation process of laundering funds from
CVC to fiat currency.

“Chain Hopping” is Used to Obfuscate Financial Trails on Blockchains

Illicit actors often engage in the practice of “chain hopping” to obfuscate the origin of their funds.
Chain hopping refers to the practice of converting one CVC into a different CVC at least once
before moving the funds to another service or platform. This practice allows threat actors to
convert illicit BTC proceeds into an AEC like XMR at CVC exchanges or services. Threat actors can
then transfer the converted funds to large CVC services and MSBs with lax compliance programs.

37. FinCEN held the second Ransomware FinCEN Exchange on 10 Aug. 2021. See
https://www.fincen.gov/news/news-releases/fincen-holds-second-virtual-fincen-exchange-ransomware.
38. Dr. Tom Robinson, “DarkSide Ransomware has Netted Over $90 million in Bitcoin,” Elliptic Blog, 18 May 2021,
https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin, accessed 3 Sept. 2021.

12
 F I N A N C I A L T R E N D A N A L Y S I S

Mixing Services are Prevalent in 2021

FinCEN observed an increased use of mixing services in SARs.39 Mixers are websites or software
designed to conceal or obfuscate the source or owner of CVC. Mixers may have obligations as
money transmitters under the BSA. For example, in October 2020 FinCEN assessed a $60 million
civil money penalty against Larry Dean Harmon for operating the mixing service Helix and failing
to register with FinCEN, maintain an effective AML program, and file SARs on suspicious activity
that went through the Mixer.40 Mixing is done either as a general privacy measure or for covering
up the movement of funds obtained from theft, darknet markets, or other illicit sources.

• According to a May 2020 report by Crystal Blockchain, there was a rapid growth in the amount
of BTC sent from darknet entities to mixers in Q1 2020.41

• According to Chainalysis’ mid-year report on ransomware, mixing services are still a preferred
destination for illicit funds behind centralized exchanges.42

• FinCEN’s analysis of the 10 most common ransomware variants in SAR data during the review
period indicate use of mixers varies by variant. (See Appendix 1).

Decentralized Exchanges Likely Used to Convert Illicit Proceeds

Ransomware-related payments are being converted to other types of CVCs through decentralized
exchanges or other DeFi applications. Some DeFi applications allow for automated peer-to-
peer transactions without the need for an account or custodial relationship. FinCEN analysis
of transactions on the BTC blockchain identified ransomware-related funds sent indirectly to
addresses associated with open protocols for use on DeFi applications.

Ransomware Detection, Mitigation, and Reporting

Financial institutions play an important role in protecting the U.S. financial system from ransomware-
related threats through compliance with BSA obligations. Financial institutions should determine if a
SAR filing is required or appropriate when dealing with a ransomware incident, including ransomware-
related payments made by financial institutions that are victims of ransomware.43 Financial institutions
may also file with FinCEN a report of any suspicious transaction it believes relates to the possible
violation of any law or regulation but whose reporting is not required by 31 CFR Chapter X.

39. For more information on mixers, see FinCEN Guidance FIN-2019-G001, 9 May 2019, p.19-20 https://www.fincen.gov/
sites/default/files/2019-05/FinCEN Guidance CVC FINAL 508.pdf.
40. “In the matter of Larry Dean Harmon d/b/a Helix, Assessment of Civil Money Penalty Number 2020-02,” FinCEN, 19
Oct. 2020, https://www.fincen.gov/sites/default/files/enforcement_action/2020-10-19/HarmonHelix Assessment and
SoF_508_101920.pdf.
41. Crystal analytics team, “Darknet Use and Bitcoin — A Crypto Activity Report by Crystal Blockchain,” Crystal
Blockchain, 19 May 2020, https://crystalblockchain.com/articles/darknet-use-and-bitcoin-a-crypto-activity-report-by-
crystal-blockchain/, accessed 26 Aug. 2021.
42. Chainalysis, “Ransomware 2021: Critical Mid-Year Update,” July 2021, https://blog.chainalysis.com/reports/
ransomware-update-may-2021, accessed 26 Aug. 2021.
43. For more information see FinCEN Advisory #FIN-2020-A006, 1 Oct. 2020, https://www.fincen.gov/sites/default/files/
advisory/2020-10-01/Advisory Ransomware FINAL 508.pdf.

13
 F I N A N C I A L T R E N D A N A L Y S I S

Detection and Mitigation Recommendations

Ransomware is a serious cybersecurity concern for which FinCEN recommends the following
actions:

1. Incorporate IOCs from threat data sources into intrusion detection systems and security alert
systems to enable active blocking or reporting of suspected malicious activity.

2. Contact law enforcement immediately regarding any identified activity related to ransomware,
and contact OFAC if there is any reason to suspect the cyber actor demanding ransomware
payment may be sanctioned or otherwise have a sanctions nexus.44 Please see contact
information for the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure
Security Agency (CISA), OFAC, and U.S. Secret Service at the end of this report.

3. Report suspicious activity to FinCEN, highlighting the presence of “Cyber Event Indicators.”
IOCs, such as suspicious email addresses, file names, hashes, domains, and IP addresses, can
be provided in the SAR form. Information regarding ransomware variants, AECs requested for
payment, or other information may also be useful to law enforcement and for trend analysis
in addition to virtual currency addresses and transaction hashes associated with ransomware
payments.

4. Review financial red flag indicators of ransomware in the “Advisory on Ransomware and the
Use of the Financial System to Facilitate Ransom Payments” issued by FinCEN in October
2020.45

Further, ransomware is a complex cybersecurity problem requiring a variety of preventive,

protective, and preparatory best practices. CISA’s StopRansomware.gov offers a one-stop-shop for
government resources containing alerts, guides, fact sheets, and training all focused on reducing
the risk of ransomware. CISA and the Multi-State Information Sharing and Analysis Center’s (MS-
ISAC’s) Ransomware Guide provides high-level prevention best practices and a response checklist
while the National Institute of Standards and Technology’s (NIST’s) Data Integrity: Detecting and
Responding to Ransomware and Other Destructive Events offers a comprehensive focus on detailed
methods and potential tool sets that can detect, mitigate, and contain data integrity events in the
components of an enterprise network.

44. For more information see “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,”
U.S. Department of the Treasury Advisory, 21 Sept. 2021, https://home.treasury.gov/system/files/126/ofac_
ransomware_advisory.pdf.
45. For more information see FinCEN Advisory #FIN-2020-A006, 1 Oct. 2020, https://www.fincen.gov/sites/default/files/
advisory/2020-10-01/Advisory Ransomware FINAL 508.pdf.

14
 F I N A N C I A L T R E N D A N A L Y S I S

Reporting Suspicious Cyber Activity

To report an intrusion and request technical assistance, contact CISA at cisaservicedesk@cisa.
dhs.gov or 888-282-0870, or FBI through a local field office or FBI’s Cyber Division at CyWatch@
fbi.gov or 855-292-3937, or any U.S. Secret Service local field offices to report a crime. Contact
OFAC at [email protected] if there is any reason to suspect the cyber actor demanding
ransomware payment may be sanctioned or otherwise have a sanctions nexus. For formal guidance
to financial institutions on reporting ransomware-related incidents, please refer to FinCEN’s
resource page on advisories, at https://www.fincen.gov/resources/advisoriesbulletinsfact-sheets.

The information in this report is based on ransomware-related information obtained from analysis
of BSA data, trade publications, and commercial reporting, as well as insights from law enforcement
and other partners. FinCEN welcomes feedback on this report, particularly from financial
institutions. Please submit feedback to the FinCEN Regulatory Support Section at [email protected].

15
 F I N A N C I A L T R E N D A N A L Y S I S

Appendix 1: Ransomware Variant Analysis

FinCEN determined the top 10 most common ransomware variants reported in SAR data and
reviewed open-source reporting to determine dates of activity and accepted payment method(s).
FinCEN identified unique wallet addresses used for ransomware-related payments by the top 10
most common variants and conducted analysis using commercially available technology. These
identified wallet addresses sent BTC to different CVC services including exchanges, darknet markets
(DNM), mixers, licit and illicit CVC service categories including untraced and unspent BTC.

Accept Accept Sent BTC (USD)

Ransomware Start/End
XMR BTC Exchange DNM Mixer Other 46 Total
Variant Date
(Y/N) (Y/N)
April 2019 - ~$6.3 ~$6.5 ~$32.3 ~$46
Variant 1 Y Y ~$826,000
July 2021 million million million million
December
~$66.1 ~$7.3 ~$4 ~$161 ~$238.5
Variant 2 2019 - N Y
million million million million million
present
August 2020 ~$14.3 ~$6.5 ~$76.8 ~$98.2
Variant 3 Y Y ~$609,000
- May 2021 million million million million
June 2020 - ~$4.9 ~$1.6 ~$6.3 ~$13.5
Variant 4 N Y ~$660,000
June 2021 million million million million
September
~$1.7 ~$241.6 ~$9.7 ~$1.7 $3.6
Variant 5 2019 - N Y
billion million million billion billion
present
July 2018 - ~$604.4 ~$2.2 ~$184.5 ~$791.7
Variant 6 N Y ~$622,700
present million million million million
October 2019 ~$3 ~$2.3 ~$3.5 ~$8.8
Variant 7 N Y ~$3,600
- present million million million million
December
~$240 ~$1 ~$64.3 ~$305.8
Variant 8 2019 - N Y ~$740,000
million million million million
present
November
~$6.9 ~$7.5
Variant 9 2019 - N Y ~$519,000 ~$79,000 ~$9,900
million million
present
September
~$8.4 ~$1.3 ~$11 ~$20.7
Variant 10 2019 - N Y ~$76,300
million million million million
present
~$2.6 ~$252.5 ~$35.2 ~$2.3 ~$5.2
Total
billion million million billion billion

46. “Other” includes unidentified CVC services as well as unspent and untraced CVC.

16