US banks spent $1 billion on ransomware payments in 2021, Treasury says
Bloomberg November 2, 2022
U.S. financial institutions reported nearly $1.2 billion on likely ransomware-related payments last year, most commonly in response to breaches originating with Russian criminal groups, according to the Treasury Department.
The payments more than doubled from 2020, underscoring the pernicious damage that ransomware continues to wreak on the private sector. The Financial Crimes Enforcement Network, or FinCEN, said its analysis “indicates that ransomware continues to pose a significant threat to U.S. critical infrastructure sectors, businesses and the public.”
Financial institutions filed 1,489 incidents related to ransomware in 2021, up from 487 the year before, according to data collected under the Bank Secrecy Act. FinCEN’s analysis included extortion amounts, attempted transactions and payments that were unpaid.
In the U.S., banks are required to file suspicious activity reports to help the government detect money laundering or other criminal activity.
FinCEN said the top five highest-grossing ransomware variants from the second half of 2021 are connected to Russian cybercriminals. The damage from Russian-related ransomware during that period totaled more than $219 million, according to the data.
Treasury’s report comes as a US-hosted ransomware summit in Washington brings together nearly three dozen countries to tackle a scourge that’s hobbled businesses, non-profits and government agencies globally. The pace and sophistication of those intrusions is increasing faster than the US’s ability to disrupt them, a senior Biden administration official said Sunday.
FinCEN said its analysis was in response to the increase in both number and severity of recent ransomware hacks against US critical infrastructure. The jump, officials said, could also be reflective of institutions getting better at identifying and reporting incidents.
The findings were previously reported Tuesday by CNN.
In March, President Joe Biden signed sweeping cybersecurity legislation that mandates certain sectors report breaches to the US Department of Homeland Security within 72 hours of discovery of the incident, and 24 hours if they make a ransomware payment.
Ransomware actors continue to release private troves of data if their demands aren’t met. Their targets include a breach this fall on the Los Angeles Unified School District, in which confidential information about students was leaked when the ransom wasn’t paid.