Victims of ransomware attacks paid hackers $590 million during the first six months of 2021, more than in all of 2020, according to an analysis of suspicious activity reports by the Treasury Department.
The number and severity of ransomware attacks surged in 2021. Prominent incidents include the hacking of the Colonial Pipeline, which paid the hackers millions to unlock its systems. The attack led to gasoline shortages on the East Coast.
“Other recent attacks have targeted various sectors, including manufacturing, legal, insurance, health care, energy, education, and the food supply chain in the United States and across the globe,” the Treasury report (pdf) states.
The Treasury’s report is based on suspicious activity reports filed by banks and other financial institutions. The department received 635 such reports during the first half of 2021, up from 458 reports in all of 2020.
Bitcoin was the most common method of ransomware payment, the report said.
The most common ransomware variants used during that period include names that figured in some of the prominent attacks this year, including REvil/Sodinokibi and DarkSide.
The $590 million figure is only a fraction of the total ransomware payouts in the United States and around the world. The Treasury analyzed cryptocurrency wallets used for ransomware payments and found $5.2 billion in outgoing bitcoin transactions potentially linked to ransomware payouts.
Ransomware hackers are increasingly requesting payments in anonymity-enhanced cryptocurrencies, according to the report. They avoid reusing cryptocurrency wallets and are “using mixing services and decentralized exchanges to convert proceeds,” the report said.
Ransomware attacks encrypt the victims’ computer systems and hold them hostage with a demand for a hefty ransom. The attackers have recently shifted from a high volume opportunistic approach to a more sophisticated strategy focusing on bigger targets.
“Some ransomware actors have diversified their revenue streams using a ransomware-as-a-service business model in which ransomware creators sell user-friendly ransomware kits on the Dark Web or outsource ransomware distribution to affiliates in exchange for a percentage of the ransom. This lowers the technical expertise needed to carry out an attack,” the Treasury report states.
The pandemic-driven shift to remote work has made businesses more vulnerable to attacks. There has been a considerable uptick in attacks on medical businesses due to their propensity to pay ransom to unlock critical healthcare data amid the pandemic, according to the Treasury.