Compliance Blog

On November 8, 2021, FinCEN issued an advisory on “Ransomware and the Use of the Financial System to Facilitate Ransom Payments.” This advisory updates and rescinds a previous advisory, published on October 1, 2020. FinCEN is releasing an updated advisory due to “the increase of ransomware attacks in recent months” and to reflect new information released by FinCEN.

FinCEN is concerned about financial institutions because of “the critical role financial institutions play in the collection of ransom payments.” As FinCEN notes, ransomware payments are a multi-step process that will involve at least one depository institution, if not more. FinCEN notes that it will not hesitate to take action against any entity that is engaged in money transmission that fails to comply with their anti-money laundering (AML) obligations. Furthermore, FinCEN reminds institutions that they must also remain aware of any OFAC related obligations that may arise.

Trends and Types of Ransomware

FinCEN provides the following types of ransomware attacks and trends that financial institutions should be watching for:

·       Extortion schemes: FinCEN has noted that there has been an increase in “double extortion schemes.” In a double extortion scheme, cybercriminals remove or encrypt data from a target’s system and demand ransom. Cybercriminals then demand more ransom in exchange for not releasing the data to the public.

·       Use of Anonymity-Enhanced Cryptocurrencies (AECs): While cybercriminals usually request to be paid in Bitcoins, cybercriminals are increasingly demanding AECs which provide less transparency, more security for cybercriminals, and makes it harder for law enforcement to track.

·       Unregistered CVC mixing services: Convertible virtual currency (CVC) mixing services allow a cybercriminal to comingle CVC belonging to another mixer user in order to attempt to break the connection between the cybercriminal and victim.

·       Cashing out through foreign CVC exchanges: Cybercriminals have increasingly turned to foreign CVC exchanges with lax compliance controls to launder and cash out the CVC earned from criminal activities. Cybercriminals then integrate the hard currency back into the financial system.

·       Ransomware criminals forming partnerships and sharing resources: Many cybercriminals have recently engaged in profit sharing with other cybercriminals through ransomware-as-a-service (RaaS). Through RaaS, ransomware developers deliver or sell ransomware software to cybercriminals that have gained access to a victim’s network. RaaS developers generally receives a percentage of the ransom that the victim pays.

·       Use of “fileless” ransomware: Financial institutions may want to watch out for fileless ransomware. Fileless ransomware is code that is written into a computer’s memory, rather than a file on a hard drive. This makes it harder to detect and allows cybercriminals to circumvent “off-the-shelf antivirus and malware defenses.” Credit unions may want to review its cyber security protocols and tools to see if the credit union is protected from fileless ransomware.

·       “Big game hunting” schemes: Cybercriminals are increasing targeting larger enterprises to demand bigger payouts.

Financial Red Flag Indicators of Ransomware and Associated Payments

In the advisory, FinCEN identifies the following financial red flag indicators of “ransomware-related illicit activity.” FinCEN notes that no single red flag is indicative of suspicious activity and “financial institutions should consider all relevant facts and circumstances of each transaction.”

·       Detection of IT enterprise activity connected to ransomware cyber indicators or threat actors;

·       During interactions with a customer, the customer indicates that a payment is in response to a ransomware attack;

·       A customer’s CVC address or address where they conduct transactions are related to ransomware variants, payments, or other related activity;

·       Irregular transactions between an organization and a cyber insurance company (CIC) or digital forensic and incident response (DFIR) company;

·       A CIC or DFIR receives funds and shortly thereafter, sends equivalent amount to a CVC exchange;

·       Customer demonstrates a lack of knowledge regarding CVCs but shows interest in purchasing CVCs (especially if in a rush or for large amounts);

·       Customer with little or no history of CVC transactions conducts a large CVC transaction;

·       “A customer that has not identified itself to the CVC exchanger, or registered with FinCEN as a money transmitter, appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB;”

·       Customer uses a CVC exchanger in a high-risk foreign jurisdiction or a jurisdiction that lacks adequate compliance controls;

·       Customer receives CVC from an external wallet and proceeds to conduct multiple rapid trades with multiple CVCs;

·       Customer transfers funds using a mixing service; and

·       Customer uses an encrypted network or unidentified web portal for communications with a CVC transaction recipient.

Suspicious Activity Report Obligations

Finally, the advisory reminds financial institutions of their obligation to file suspicious activity reports (SARs). FinCEN notes:

“Financial institutions play an important role in protecting the U.S. financial system from ransomware threats through compliance with their BSA obligations. Financial institutions should determine if filing a SAR is required or appropriate when dealing with an incident of ransomware conducted by, at, or through the financial institution, including ransom payments made by financial institutions that are victims of ransomware”

For more information regarding SARs, credit unions may want to review the FFIEC’s BSA/AML Manual’s page on SARs. For more information regarding ransomware, here and here are two NAFCU compliance blog posts that may be helpful to credit unions.