Reported Ransomware Incidents, Costs Soared in 2021, Treasury Says

U.S. banks flagged ransomware-related transactions adding up to more than $1 billion in 2021, the Treasury Department said, although risk experts said that barely scratches the surface of cybercrime’s true economic scale.

Data released by the Financial Crimes Enforcement Network, or FinCEN, this week showed the number and value of transactions that banks had flagged as related to ransomware in 2021 reached $1.2 billion, spread across 1,489 reports to regulators. In 2020, such transactions totaled $416 million across 487 reports.

“I think we’re seeing the tip of the iceberg in terms of what these actual payments are,” said Paul Benda, senior vice president for operational risk and cybersecurity at the American Bankers Association, a trade group for banks. 

When, for instance, FinCEN looked at cryptocurrency passing through virtual wallets believed to be used by hackers handling ransom payments during the first six months of 2021, analysts found about $5.2 billion in bitcoin transactions alone, flowing out of 177 wallets.

Banks must file suspicious activity reports, or SARs, with FinCEN when they think that transactions are related to crime, under a 2020 law designed to combat money laundering. The process for spotting suspicious transactions differs from bank to bank, and flagged transactions include not only payoffs, but those suspected of filtering proceeds from ransoms through the financial system. FinCEN is an arm of the Treasury that analyzes financial data to identify money laundering, terrorist financing and other crimes.

Reports from the first six months of 2021 alone exceeded the total for all of 2020, FinCEN said, noting that around 75% of incidents in 2021 stemmed from Russia-based cyber actors. The report didn’t directly blame the Russian government, and Moscow has denied involvement in cyberattacks.

The rise in the volume of SARs and the value attached to those reports doesn’t necessarily mean that the number of attacks is rising. Banks could be overreporting out of caution, said Teresa Walsh, global head of intelligence at the Financial Services Information Sharing and Analysis Center, a cybersecurity intelligence-sharing network for the financial sector. 

High-profile incidents have boosted reporting, Ms. Walsh said, citing the breach of SolarWinds Corp. software that was disclosed in December 2020 and affected almost a dozen federal agencies and 100 companies, and the cyberattack on Colonial Pipeline Co. in May 2021. The episode at Colonial Pipeline led to panic-buying and a fuel shortage in Southeastern states for days, driving up the price of gasoline. The pipeline operator paid roughly $4.4 million in ransom, of which the Federal Bureau of Investigation was able to retrieve about half. 

Despite the stark rise in numbers year-over-year, however, banking experts say the true cost of ransomware and other cybercrimes dwarfs the figures cited in reports.

The U.S. government has ramped up efforts to counter ransomware, most recently by hosting an international summit on the topic at the White House earlier this week, with the European Union and more than 30 countries taking part. Participants agreed to form an international task force on ransomware, following similar domestic efforts within the Justice Department, to help fight cybercrime across borders.

U.S. agencies including the Cybersecurity and Infrastructure Security Agency are working to spell out when and in how much detail companies must disclose cyberattacks, after the passage of the Cyber Incident Reporting for Critical Infrastructure Act in March.

Although reports such as FinCEN’s latest analysis provide just a snapshot of the ransomware ecosystem, Mr. Benda said, they allow banks to see how their SARs are being used.

“We really think that this type of information sharing is critical for the financial industry,” he said. 

Write to James Rundle at james.rundle@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8