The Financial Crimes Enforcement Network (FinCEN) – a bureau of the United States Treasury Department tasked with combatting domestic and international money laundering and terror-financing activity – issued a special advisory on ransomware and its relation to the exploitation of the global financial system earlier this month. Ransomware, a form of malicious software (i.e. malware) designed to block access to a computer system or data, generally by encrypting data or programs on IT systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data², has seen an exponential rise in prevalence, as well as level of sophistication and ultimate success rate, in wake of the ongoing COVID-19 pandemic. After compiling data collected during the first half of the fiscal year 2021, FinCEN has uncovered that this troubling trend has only continued to grow. After accumulating said data however, the Treasury report was able analyze specific trends, typologies, and potential indicators of ransomware and related money laundering activities that may assist law enforcement and financial service providers alike to better identify and thwart activity of this nature. In fact, one of the key takeaways from their report is that financial institutions play a significant, yet grossly unheralded role in the prevention of ransomware attacks, with improved vigilance and oversight on the financial sector’s frontlines likely to contribute to stopping some of the major cyberattacks that have plagued American financial institutions small and large in recent years. 

            This advisory from FinCEN comes on the heels of a similar release issued by the U.S. Office of Foreign Assets Control’s (OFAC) in late September, demonstrating just how much attention is being paid to this growing issue. In their advisory, OFAC – which administers and enforces economic and trade sanctions on behalf of the Treasury Department – highlighted potential sanctions risks associated with ransomware in connection with malicious cyber-enabled activities with respect to individuals, organizations, and new & established payment platforms found to have knowingly or unknowingly facilitated ransomware payments for bad actors.² With much of the developed world delving into cryptocurrency markets in some form, analysts have speculated that the lack of regulation of this growing market coupled with the anonymity provided by these payment platforms as compared to traditional methods of payment/transactions have only contributed to difficulties in bringing fraudsters operating in this sphere to justice. This trend has too caught the Treasury’s eye. In late September, Global RADAR reported on OFAC’s decision to levy the first ever sanction against a cryptocurrency exchange, adding Czech-incorporated cryptocurrency exchange SUEX OTC to its Specially Designated Nationals (SDN) list for acting on behalf of ransomware actors. Intelligence collected by U.S. authorities showed that upwards of 40% of the platform’s transactions involved multinational criminal groups with direct ties to illicit activity, with SUEX collectively receiving over $160 million from individuals and entities identified as scammers, dark web operators, and ransomware gangs in exchange for their services. The sanctions placed on SUEX explicitly prohibit U.S.-based individuals and firms from conducting business with or through the platform, while also blocking any assets the company and its ownership may have within American borders. 

            FinCEN’s recent advisory also examines the crypto-space, writing that much like traditional banking transactions, the processing of ransomware payments requires a depository institution and one or more money service businesses to allow for criminals to make off with their illicit proceeds. FinCEN recognizes that convertible virtual currencies (CVCs) are the primary form of payment that ransomware perpetrators use to move and launder their money. Using a multi-step process, criminals often require their victims to wire money or provide a credit card payment to an exchange to purchase the specific type and amount of CVC they desire. The victim will then send the CVC, often from a wallet hosted by the exchange, to the perpetrator’s designated account or CVC address.¹ These cunning cybercriminals will often continue to move their CVC’s around or diversify by exchanging their coins with other virtual currencies in an effort to dilute any paper trail that law enforcement may attempt to follow.

            In their advisory, FinCEN stresses the importance of financial institutions continuing to report suspicious activity, regardless of the monotony involved in the process. Today, financial institutions are required to file a suspicious activity report (SAR) if it knows, suspects, or has reason to suspect a transaction conducted or attempted by, at, or through the financial institution involves or aggregates to $5,000 (or, with one exception, $2,000 for MSBs) or more in funds or other assets and involves funds derived from illegal activity.¹ This also holds true for instances where individuals may be attempting to disguise funds derived from illegal activity, evade regulations promulgated under the BSA, or where a business lacks any apparent lawful purpose or involves the use of the financial institution to facilitate criminal activity.¹ Reportable activity can involve transactions, including payments made by financial institutions, related to criminal activity like extortion and unauthorized electronic intrusions that damage, disable, or otherwise affect critical systems. SAR obligations apply to both attempted and successful transactions, including both attempted and successful initiated extortion transactions.

            With this reminder, FinCEN is basically saying it’s better to err on the side of caution with respect to the SAR filing process. Even if filing is not necessarily required, institutions may still file a SAR voluntarily if they believe the information will be helpful to law enforcement in their efforts to better protect the financial system. Examples of relevant information that can help facilitate criminal investigations would include such things as names and email addresses of the pertinent parties, internet protocol (IP) addresses with timestamps, login information, CVC wallet addresses, International Mobile Equipment Identity (IMEI) numbers, malware hashes, malicious domains, and descriptions and timing of suspicious electronic communications. This practice coincides with the other overarching theme of FinCEN’s advisory – information sharing. In order to better identify broader patterns in criminal activity and stop ransomware schemes, financial institutions should openly share their respective data amongst one another, as well as with regulatory bodies and the proper authorities. Under section 314(B) of the USA PATRIOT Act, financial institutions are authorized to share relevant information when it comes to fraudulent activities such as extortion and computer-based fraud and/or abuse, which are the primary means of achieving financial gain case with the majority of today’s ransomware exploits.

Citations

1. “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments.” Financial Crimes Enforcement Network, U.S. Department of the Treasury, 1 Oct. 2021. 
2. “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments1.” Department of the Treasury, 21 Sept. 2021.