Ransomware victims paid attackers at least $144.35 million in bitcoin between 2013 and 2019, according to a recent Federal Bureau of Investigation bulletin that likely fails to account for millions of dollars.
The figure, published in a Feb. 4 advisory from the bureau, is based on the financial losses than ransomware victims reported to U.S. law enforcement over a six-year span in which digital extortion evolved from a rare corporate annoyance to a global black market. Victimized organizations often do not report ransomware payments to the FBI, and hackers in recent months have demanded tens of millions of dollars from breached firms. U.S. insurers similarly have tried to gather information about the frequency, size and severity of digital crime sprees.
FBI officials publicized the figure as part of a National Cyber Investigative Joint Task Force fact sheet aimed at raising awareness about the ideal prevention and responses practices to ransomware. The federal government is “particularly concerned” about extortion attacks against police and fire departments, hospitals, critical infrastructure facilities, and state, local, tribal and territorial governments.
“These types of attacks can delay first responders in responding to emergencies or prevent a hospital from accessing lifesaving equipment,” the fact sheet said.
The FBI previously said U.S. victims reported $8.9 million in ransomware-related losses in 2019, up from $3.6 million in losses in 2018.
That FBI fact sheet comes after the Department of Homeland Security’s Cybersecurity and Infrastructure Agency warned that hackers were deploying ransomware — most notably the Ryuk and Conti strains — against health care providers during the COVID-19 pandemic, thus forcing administrators to “balance this risk when determining their cybersecurity investments.”
Meanwhile, in October, the Treasury Department’s Office of Foreign Assets Control also warned that paying or helping to pay ransomware to any entity on its cyber sanctions list could incur civil penalties.