FinCEN – Ransomware Trend Analysis

In December 2025, the Financial Crimes Enforcement Network (FinCEN) issued its latest Financial Trend Analysis (FTA) on ransomware incidents in Bank Secrecy Act (BSA) data between 2022 and 2024. Section 6206 of the Anti-Money Laundering Act (AMLA) of 2020 requires FinCEN to periodically publish threat patterns and trend information derived from suspicious activity report (SAR) filings.

As most readers are aware, ransomware is a form of malicious software (“malware”) designed to block access to a computer system or data, often by encrypting data or programs on information technology (IT) systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to systems or data.

In some cases, in addition to the encrypting information, the cyber-criminals threaten to publish sensitive files belonging to the victims, which can be individuals or businesses, including financial institutions. The consequences of a ransomware attack can be severe and extensive, with losses of sensitive, proprietary, and critical information, loss of business functionality, and reputational damage.

Snapshot of the FTA

According to the report, ransomware incidents and payments reached an all-time high in 2023—at 1,512 incidents, totaling approximately $1.1 billion in payments—an increase of 77 percent in total payments year-over-year from 2022 to 2023. During this review period, the most commonly targeted industries (by number of reported incidents) were manufacturing, financial services, and healthcare. However, retail, science and technology, as well as legal services were also affected by ransomware, often paying hefty ransoms. Most ransoms (97%) were paid in Bitcoin, often funneled through unhosted wallets and convertible virtual currency (CVC) platforms.

Reported incidents decreased slightly in 2024 to 1,476 while total payments were approximately $734 million. However, don’t let the decrease in incidents fool you. The trend in the number of incidents and payments varied throughout the review period. 
Ransomware incidents continue to plague the financial services sector, in particular. In fact, many institutions have fallen victim to cyber-attacks in 2025. You may have read about a recent ransomware attack on a fintech software provider that exposed the information of dozens of banks and credit unions, and over 400,000 customers and members across the United States. We won’t name names here (but you can click the above link for more information).

Ransomware Detection, Mitigation, and Reporting

So, what steps can credit unions take to help detect vulnerabilities and mitigate the risks associated with potential ransomware attacks? FinCEN recommends the following actions: 

•    Incorporate Indicators of Compromise (IOCs) (i.e., clues or evidence that suggest a network has been attacked or breached) from threat data sources to enable active blocking or reporting of suspected malicious activity into the credit union’s intrusion detection and security alert systems.

•    Contact law enforcement immediately regarding any ransomware-related activity and contact the Office of Foreign Assets Control (OFAC) if there is any reason to suspect the cyber actor demanding ransomware payment may be a Specially Designated National (SDN) or otherwise have a sanctions nexus. See OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.

•    Report suspicious activity to FinCEN, highlighting the presence of “Cyber Event Indicators of Compromise.” IOCs - such as suspicious email addresses, file names, hashes, domains, and IP addresses - can be provided on the SAR. Information regarding type of ransomware (“variant”), the use of “anonymity enhancing CVCs” for payment (to reduce the transparency of CVC financial flows), or other information may also be useful to law enforcement and for trend analysis in addition to virtual currency addresses and transaction hashes associated with ransomware payments.

FinCEN requests that all financial institutions include the key term “CYBER-FIN-2021-A004” in their SARs to indicate a connection between the suspicious activity being reported and ransomware-related activity.

•    Review and incorporate financial “red flag” indicators of ransomware into your credit union’s Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) Programs. For example, a business-member that has no or limited history of CVC transactions sending a large CVC transaction, particularly when these transactions are outside the member’s normal business practices. This is definitely a red flag that warrants a closer look. See FinCEN’s “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” (FIN-2021-A004).

Reporting Suspicious Cyber Activity

FinCEN also directs financial institutions to contact the Cybersecurity and Infrastructure Security Agency (CISA) to report any intrusion and request technical assistance at cisaservicedesk@cisa.dhs.gov or 888-282-0870, or the Federal Bureau of Investigation (FBI) through a local field office or FBI’s Cyber Division at CyWatch@fbi.gov or 855-292-3937, or any U.S. Secret Service local field offices to report a crime.

See also: StopRansomware.gov: CISA’s “one-stop-shop” for government resources containing alerts, guides, fact sheets, and training all focused on reducing the risk of ransomware.

NCUA’s Cyber Incident Reporting Rule

Last but not least, do not forget about NCUA’s cyber-incident reporting rule. All federally insured credit unions are required to notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a “reportable cyber incident” or received a notification from a third party regarding a reportable cyber incident. A reportable cyber incident is any “substantial” cyber incident that leads to one or more of the following:

•    A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
•    A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities. 
•    A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

Ransomware attacks impacting critical systems or data would qualify as a reportable cyber incident. See NCUA Letter 23-CU-07: Cyber Incident Notification Requirements, Appendix A: Examples of Substantial Incidents that Likely Would Qualify as Reportable Cyber Incidents.

Click here for information regarding NCUA’s risk-based requirements for responding to a data breach (“unauthorized access to member information in member information systems”). Lastly, note that almost every state has its own data breach notification law. Some, but not all, have exemptions for entities that comply with the Gramm-Leach-Bliley Act. Consult your local legal counsel to keep current with these rapidly changing requirements.

Additional Resources

FinCEN Combats Ransomware | FinCEN.gov

Cyber Incident Reporting Guide | NCUA

Cybersecurity Resources | NCUA