Cyberattacks — specifically ransomware — are the most significant threats to U.S. financial institutions. The June 2021 release of the Financial Crimes Enforcement Network (FinCEN) Priorities makes this clear in naming cybercrime as one of the eight national anti-money launderings and countering the financing of terrorism (AML/CTF) priorities. On Nov. 8, 2021, FinCEN issued a revised advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf).
Ransomware is a form of malicious software (malware) designed to block access to a computer system or data. It often encrypts data and prevents or limits users from accessing their system, either by locking the system’s screen or locking the users’ files until a ransom is paid. Usually, the ransom is a substantial amount of money or cryptocurrency. In some cases, the perpetrators threaten to publish sensitive information, with significant consequences to those being held ransom for losing sensitive, proprietary, or critical information.
In response to an increase in ransomware attacks, this updated FinCEN advisory rescinds the agency’s previous advisory dated October 2020, showing the dynamic nature and criticality of ransomware threats. According to FinCEN, “Detecting and reporting ransomware payments are vital to holding ransomware attackers.” Recent ransomware disruptions to critical U.S. infrastructure industries include attacks on manufacturing, legal services, insurance, financial services, health care, energy, and food production sectors.
The advisory is full of important information for financial institutions, focusing on disrupting criminal ransomware actors. Processing ransomware payments includes at least one depository institution used in facilitating payments. Most transactions are requested in convertible virtual currency (CVC). After a ransom payment is made, the funds typically flow through a financial institution as a wire transfer, ACH transaction, or credit card payment. Monitoring this type of activity is where the keen eye of AML and fraud investigations professionals is crucial and where AML software can provide significant support.
Trends and Typologies
FinCEN lists the following trends and typologies for which financial institutions need to be aware. While much of the cybercrime detected comes from simple techniques such as phishing, others are becoming more sophisticated and complex. Summarized examples of these typologies are as follows:
Double Extortion Schemes: Double extortion schemes involve removing sensitive data from the targeted networks, encrypting the system files, and demanding ransom. The cybercriminals then threaten to publish or sell the stolen data if the victim does not pay the ransom.
Use of Anonymity-Enhanced Cryptocurrencies (AECs): Cybercriminals increasingly require or incentivize victims to pay in AECs that reduce the transparency of CVC financial flows (rather than legitimized Bitcoin) through anonymizing features, such as mixing and cryptographic enhancements. One such AEC increasingly demanded by ransomware criminals is Monero.
Unregistered CVC Mixing Services: Cybercriminals often use mixers to conceal their illegal activities to protect illicit gains. Mixers are used to “break” the connection between the sender and the receiver of the CVC transaction by commingling CVC belonging to other mixer users and splitting the value into many small pieces that pass through different accounts. This is a classic layering method using innovative technology.
Cashing Out Through Foreign CVC Exchanges: To launder and cash out their illicit proceeds, cybercriminals often use CVC exchanges with lax compliance controls or operate in jurisdictions with little regulatory oversight. Financial institutions should be particular attention to cryptocurrency payments through jurisdictions of concern. Cybercriminals may use these exchanges to convert “dirty” CVC to their preferred legal tender or fiat currency to integrate back into the financial system (integration).
Ransomware Criminals Forming Partnerships and Sharing Resources: Many cybercriminals engage in profit sharing through ransomware-as-a-service (RaaS), a business model in which ransomware developers sell or otherwise deliver ransomware software. RaaS allows cybercriminals of varying skill levels to monetize their illicit access. As part of the profit-sharing arrangement, the RaaS developer often receives a percentage of any ransom paid by the victim.
Use of “Fileless” Ransomware: Fileless ransomware is a sophisticated tool that can be challenging to detect because the malicious code is written to a computer’s memory rather than into a file on a hard drive, allowing cybercriminals to circumvent off-the-shelf antivirus and malware defenses.
Cybercriminals may target organizations with weaker security controls and a higher propensity to pay the ransom due to the criticality of their services. This may include community financial institutions and credit unions.
“Big Game Hunting” Schemes: Cybercriminals are increasingly engaging in selective targeting of larger enterprises to demand bigger payouts, a practice commonly referred to as “big game hunting.” Cybercriminals may target organizations with weaker security controls and a higher propensity to pay the ransom due to the criticality of their services. This may include community financial institutions and credit unions.
Financial Red Flag Indicators of Ransomware
When FinCEN issues advisories, financial institutions need to know what this means regarding their suspicious activity monitoring and reporting programs. FinCEN has identified the following financial red flag indicators of ransomware-related illicit activity that can be used in training front line staff as well as AML and fraud investigators:
- A financial institution or customer detects IT activity connected to ransomware cyber indicators or known cyber threat actors. Malicious cyber activity may be evident in system log files, network traffic, or file information.
- When opening a new account or during other interactions with the financial institution, the customer provides information that payment responds to a ransomware incident.
- A customer’s CVC address, or an address with which a customer conducts transactions, is connected to ransomware variants, payments, or related activity. These connections may appear in open sources searches.
- An irregular transaction occurs between an organization, especially a sector at high risk for targeting ransomware (e.g., government, financial, educational, healthcare) and a customer, especially one known to facilitate ransomware payments.
- A customer receives funds from a counterparty, and shortly after receipt of funds, sends equivalent amounts to a CVC exchange.
- A customer shows limited knowledge of CVC during onboarding or via other interactions with the financial institution, yet inquires about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware.
- A customer with no – or a limited – history of CVC transactions sends a large CVC transaction, particularly when outside a company’s standard business practices.
- A customer that has not identified itself to the CVC exchanger or registered with FinCEN as a money transmitter appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB.
- A customer uses a foreign-located CVC exchanger in a high-risk jurisdiction lacking or known to have inadequate AML/CFT regulations for CVC entities.
- A customer receives CVC from an external wallet and immediately initiates multiple, rapid trades among multiple CVCs, especially AECs, followed by a transaction off the platform with no apparent related purpose. This activity may indicate attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.
- A customer initiates a transfer of funds involving a mixing service.
- A customer uses an encrypted network (e.g., the onion router) or an unidentified web portal to communicate with the recipient of the CVC transaction.
These criminals must be held accountable for their crimes and prevent the laundering of ransomware proceeds. Financial institutions can use the 314(B) information sharing statute to assist law enforcement.
How to File a SAR for Ransomware
These criminals must be held accountable for their crimes and prevent the laundering of ransomware proceeds. Financial institutions can use the 314(B) information sharing statute to assist law enforcement. This often-underutilized method of information exchange with safe harbor is critical to following the criminal activity in these complex schemes.
In addition to using 314(B) authority, FinCEN has asked that specific language be used when filing a suspicious activity report (SAR) for cyber events:
- In SAR field 2 (Filing institution Note to FinCEN) and the narrative indicate that the activity could be indicative of a ransomware-related activity.
- Select SAR field 42 (Cyber Event) as the suspicious activity type.
- Also, select SAR field 42z (Cyber Event-Other) as an additional suspicious activity type while using the keyword “ransomware” in this field.
- Include relevant technical cyber indicators related to the activity or transactions in SAR fields 44(a)-(j), (z).
- Include the critical term “CYBER FIN-2021-A004” in the SAR narrative.
As a FinCrime professional, it is incumbent upon you to stay in touch with the spectrum of criminal activity in your surrounding areas. Staying current with these FinCEN Priorities is a good foundation but should not be the only knowledge gathering you do. Thankfully, the AML and fraud industries have extensive opportunities for professionals to learn about these schemes. It is highly recommended that your financial institution takes advantage of those occasions.
Terri Lutrell is a compliance and engagement director at Abrigo. She provides insights that contribute and support long-term banking strategies based on analysis of market and industry trends, competitor developments, and financial and regulatory technology changes. She is an audit-certified anti-money laundering specialist and a board member of the Central Texas chapter of the Association of Certified Anti-Money Laundering Specialists (ACAMS).