Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security United States Technology

US Banks Spent $1 Billion on Ransomware Payments in 2021, Treasury Says (bloomberg.com) 18

US financial institutions spent nearly $1.2 billion on likely ransomware-related payments last year, most commonly in response to breaches originating with Russian criminal groups, according to the Treasury Department. From a report: The payments more than doubled from 2020, underscoring the pernicious damage that ransomware continues to wreak on the private sector. The Financial Crimes Enforcement Network, or FinCEN, said its analysis "indicates that ransomware continues to pose a significant threat to U.S. critical infrastructure sectors, businesses and the public." Financial institutions filed 1,489 incidents related to ransomware in 2021, up from 487 the year before, according to data collected under the Bank Secrecy Act. FinCEN's analysis included extortion amounts, attempted transactions and payments that were unpaid. FinCEN said the top five highest-grossing ransomware variants from the second half of 2021 are connected to Russian cybercriminals. The damage from Russian-related ransomware during that period totaled more than $219 million, according to the data.
This discussion has been archived. No new comments can be posted.

US Banks Spent $1 Billion on Ransomware Payments in 2021, Treasury Says

Comments Filter:
  • by MIPSPro ( 10156657 ) on Tuesday November 01, 2022 @02:05PM (#63016055)
    Banks are often big MVS, AS/400, or occasionally AIX shops but in the last couple decades saw a lot of M$ insertion. Could the shift account for some of the issues they've had? Also, having done some contract work for banks they are remarkably cheap (ie... didn't get rich by writing checks). So, I typically won't even bother with them. The big ones like JP Morgan, Goldman, and the rest of Wall St. also have horrible IT environments full of tangled policies, regulatory requirements, and politics. Like many companies they don't want to pay much for talent outside of their area of expertise. Maybe all the ransomware payouts are a result of that?
    • I'm always shocked by how many banks can't accept anything more than eight characters in a password, and no special characters, no spaces. What year are we living in? Are we really locking down the requirements to AS/400 specs circa 1990?

  • by bradley13 ( 1118935 ) on Tuesday November 01, 2022 @02:06PM (#63016069) Homepage

    Anyway, it's stupid. Once they know you're a mark, they'll be back. They've made ransom wÃre dealers richer, and let them know they have a business model that works.

    If the banks had no functioning backups, and no disaster recovery system, then what were their execs doing? Finance the recovery efforts from executive bonuses - or throw the execs in jail for malfeasance.

    Seriously, we've heard thus way too often. Security holes should be plugged. And because nothing is perfect, you have a tested disaster recovery system. In one organization I know, the top management has a switch that cuts power to their servers, they occasionally flip it. It's a real world test of how long it takes to bring up essential services on the disaster recovery hardware. Maintaining that readiness is one of they key IT responsibilities.

    • This. Fine them again the same amount for paying criminals.

    • They also financed organized crime by that $1 billion. And that means the Russian government -- the mafia doesn't merely have ties to it, it's pretty much a branch of the government.

      And that counts as sponsoring terrorism IMHO.

      On the other hand, there is a trivial way to stop this. If jailing execs of guilty companies is "too much", require any ransom payment that's suspected of being related to Russia to come with a 5x as much donation to Ukraine. Just watch Putin drop the ransoming campaign immediately

    • In America, rich people just about never go to jail.

    • by AJWM ( 19027 )

      At the very least, such payments should NOT be a tax deductible expense. No reason the rest of us taxpayers should bear any burden for your lax security (including lack of recovery plan).

  • A $billion is less than a bank exec's annual bonus. Maybe if FinCEN just collected the execs' bonuses each year, they'd find a way to make the ransomware stop?
    • What bank exec is that? Jamie Dimon made under $100M last year.

      I suspect that $1B figure was extracted from the lower intestine via the shortest available route. :)

      • Yeah, apparently they can make up to $500 million in salary & then the bonus can be around 100-150% of that. So no, not strictly a $billion bonus but still a billion for a year's income. Maybe Jamie Diamond is trying to be low-key with his paltry $100 million? Anyway, they pay themselves obscene amounts for mishandling other people's money.
  • They're the same dumbasses you're almost obliged to have an account with in order to draw a salary and function normally in today's society. Really reassuring to know they have the skills to protect their own money - let alone yours.

  • by Miles_O'Toole ( 5152533 ) on Tuesday November 01, 2022 @02:23PM (#63016143)

    Bankers had believed they'd be left alone by ransomware thieves. Professional courtesy and all that.

  • They realized long ago that it's cheaper to invest into good employees. Not much, mind you, but it keeps you out of the yellow press. And the goodwill alone is worth it.

  • Wouldn't simply BACKING UP THEIR DATA be a lot cheaper???

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...