The FBI Internet Crime Complaint Center (IC3) released its 2021 cyber crime report highlighting the threat that ransomware attacks pose to critical infrastructure entities.
According to the Internet Crime Report 2021, the IC3 received 847,376 complaints in 2021 on all internet crimes, with losses amounting to $6.9 billion.
This figure was a small increase from the 791,790 complaints received in 2020 and a disproportionate increase in losses from the $4.2 billion recorded that year.
In the last five years, the IC3 has received 2.76 million complaints amounting to $18.7 billion in losses.
IC3 works with law enforcement authorities, including the Federal Bureau of Investigation (FBI) and industry partners, to collect and analyze information for public awareness, investigative, and intelligence purposes.
What are the top cyber crimes in 2021?
Phishing/vishing/smishing was the most prevalent cyber crime, with IC3 receiving 323,972 complaints in 2021, with losses amounting to $44 million.
“Looking at the top three internet complaints from 2021, phishing was exponentially more pervasive, receiving four times as many complaints as the next-highest one,” Paul Laudanski, Head of Threat Intelligence at Tessian said. “A significant factor contributing to this spike is the level of sophistication we’re seeing from bad actors.
“The FBI’s report details how attackers are leveraging video meetings to carry out Business Email Compromise scams, using deep fake technology to socially engineer employees to move money. This is an advanced attack technique that we wouldn’t have seen as often two years ago, especially before the era of video meetings.”
Non-payment/non-delivery of goods followed with 82,478 complaints. This category of cyber crime involves sellers failing to receive payments for goods they sent or buyers failing to receive goods they have purchased.
IC3 also received 51,829 complaints on personal data breaches, 43,330 on identity theft, and 39,360 complaints on extortion.
Ransomware attacks pose the biggest risk to critical infrastructure sectors
The US designated 16 critical infrastructure sectors whose disruption has catastrophic outcomes on the security, national economy, or public health and safety of its citizens.
IC3 received 3,729 complaints on ransomware attacks in 2021, amounting to $49.2 million in losses. Of these, 649 complaints were targeting critical infrastructure organizations.
Similarly, out of 16 critical infrastructure sectors, IC3 reported that 14 sectors had at least one member experiencing a ransomware attack in 2021.
The Healthcare and Public Health sector recorded the highest number of ransomware attacks (148), followed by Financial Services (89), Information Technology (74), and Critical Manufacturing (65).
The report covered a period when high-profile ransomware attacks on the U.S. gas supplier Colonial Pipeline and JBS Foods food processing company happened.
However, the actual number of ransomware attacks is likely higher than the reported ransomware incidents. This is because IC3 only started tracking ransomware attacks on critical infrastructure in June 2021.
Additionally, some critical infrastructure organizations do not report ransomware attacks to the IC3. To increase transparency, President Joe Biden signed a law requiring critical infrastructure organizations to report cyber attacks and ransom payments within 72 hours and 24 hours, respectively.
IC3 also listed REvil/Sodinokibi, LockBit 2.0, and Conti as the top cyber crime groups victimizing critical infrastructure organizations.
CONTI usually targeted the critical manufacturing, commercial facilities, and food and agriculture sectors; LockBit preferred government facilities, financial services, and healthcare and public health sectors; while REvil/Sodinokibi usually targeted financial services, information technology, and healthcare and public health sectors.
Volume-wise, Conti had the highest number of ransomware attacks on critical infrastructure (87), followed by LockBit (58), and the defunct REvil/Sodinokibi (51).
In March and September 2021, US authorities warned about Conti targeting healthcare and first responder networks and the U.S. and international organizations, respectively.
The FBI discourages ransom payment because it encourages ransomware groups to target other organizations. Additionally, there are high chances of not receiving data after paying the ransom.
Despite its best efforts to address ransomware, the FBI anticipates more attacks against critical infrastructure in 2022.
Cyber crime losses are outgrowing the number of attacks
The FBI annual internet crime report found that cyber crime losses grew disproportionately relative to the number of attacks.
During the 2021 period, the number of complaints received increased by 7% from 2020, while the cost of cyber crime grew by 64%.
The older generations experienced slightly more attacks than younger generations except in the case of people in the 50-59 age group. However, every older demographic reported more losses than the preceding younger group.
Although not among the top five crimes by volume (19,954), Business Email Compromise (BEC) was the top-grossing cyber crime amounting to about $2.4 billion.
Similarly, the IC3 annual internet crime report recorded 34,202 cryptocurrency scams, with losses rising sevenfold from $246 million in 2020 to $1.6 billion in 2021.