US federal officials remain intent on tracking ransomware activity

On November 8, the United States Financial Crimes Enforcement Network (FinCEN) published a new advisory on: “Ransomware and the Use of the Financial System to Facilitate Ransom Payments,” (the advisory), which updates an advisory that FinCEN issued in October 2020 on the same topic. 

The advisory is another in what has been a succession of guidance and reports that have been issued in recent months by the Office of Foreign Asset Control (OFAC), the Department of Justice and the Security and Exchange Commission. Our firm previously published a client update (available here) addressing OFAC’s September 21, 2021 updated ransomware guidance, including the potential sanctions risk faced by parties who  make or facilitate a ransom payment to a sanctioned entity, as well as the significant mitigation credit  such parties may receive if they take certain steps, including implementing a reasonable  sanctions compliance program and promptly notifying and cooperating with relevant government and law enforcement agencies.

This most recent FinCEN advisory is based on information contained in FinCEN’s Financial Trend Analysis Report that was issued in October 2021, and describes new trends and typologies of ransomware and associated payments, including the growing use of Anonymity-Enhanced Cryptocurrencies (AECs) and decentralized mixers. The advisory will be of particular interest to financial institutions, particularly banks and MSBs that engage in money transmission related to cryptocurrency transactions.  For other businesses that provide services that may involve  cryptocurrency transactions, the advisory raises the question as to whether they should be registered and licensed as MSBs, with the attendant obligation to implement AML compliance programs and file suspicious activity reports (SARs). 

Key messages that should be taken from the advisory include: 

1. The making of  ransomware payments by entities victimized by cybercriminals is not favored by federal authorities but it is not illegal (at least insofar as no prohibited parties are involved). 
2. Staunching ransomware schemes by disrupting payment mechanisms used by cybercriminals is a high priority of the federal enforcement establishment. The advisory provides added clarity to expectations that financial institutions will adopt transaction monitoring and related analytical procedures to both identify and report suspected ransomware transactions. 
3. Financial institutions need to  have their compliance programs updated to be able to identify ransomware transactions, file timely and informative SARs in connection with cyber-related suspicious transactions and  alert FinCEN or law enforcement in real time of such suspicious transactions.
4. Institutions that are unable to devote the resources needed to implement vigorous AML compliance protocols around cyber-related businesses should carefully evaluate whether serving such businesses is consistent with the institution’s risk profile. 
5. Entities that are involved in facilitating ransomware payments may need to register as MSBs.    

FinCEN’s objective is to ensure that financial institutions are capable of identifying transactions related to ransomware payments and providing enforcement agencies with relevant and timely information about those transactions.  Unlike the advisory issued by OFAC in September, the FinCEN advisory covers all suspected ransomware payments whether they are ultimately provided to a sanctioned entity or not.  The advisory identifies convertible virtual currency (CVC) as the preferred payment method of payment for ransomware and notes that most ransomware schemes involve a series of transactions that include at least one depository institution and other intermediaries including MSBs. It also explains that Cyber Insurance Companies (CICs) and Digital Forensic and Incident Response (DFIR) companies can play a role in facilitating ransomware-related money laundering. CICs issue policies designed to mitigate the victim’s losses from a variety of cyber incidents, such as data breaches, business interruption and network damage. CICs may reimburse policyholders for particular remediation services including the use of DFIRs, if needed. As part of incident remediation, victims may hire a DFIR company to negotiate with the cybercriminal, facilitate payment to the cybercriminal and investigate the source of the cybersecurity breach. The advisory advises, however, that facilitating these types of payments to cybercriminals could constitute a money transmission that would give rise to the obligation to be registered with FinCEN as an MSB, as well as the attendant obligation to implement an AML compliance program that includes the ability to file SARs. 

FinCEN states that it will take action against entities and individuals engaged in such money transmissions or other MSB activities if they do not register with FinCEN or comply with AML obligations. 

The advisory lists several circumstances that, if identified by financial institutions, should serve as red flag indications of potential ransomware-associated money laundering. These red flags include: 

• Evidence of IT enterprise activity that is connected to ransomware cyber indicators or known cyber threat actors. Malicious cyber activity may be evident in system log files, network traffic, or file information.
• When opening a new account or during other interactions with the financial institution, a customer provides information that a payment is in response to a ransomware incident.
• A customer’s CVC address, or an address with which a customer conducts transactions is connected to ransomware variants, payments, or related activity. These connections may appear in open sources or commercial or government analyses.
• An irregular transaction occurs between an organization, especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare) and a DFIR or CIC, especially one known to facilitate ransomware payments.
• A DFIR or CIC customer receives funds from a counterparty and shortly after receipt of funds sends equivalent amounts to a CVC exchange.
• A customer shows limited knowledge of CVC during onboarding or via other interactions with the financial institution, yet asks about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware.
• A customer that has no or limited history of CVC transactions sends a large CVC transaction, particularly when outside a company’s normal business practices.
• A customer that has not identified itself to the CVC exchanger, or registered with FinCEN as a money transmitter, appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB.
• A customer uses a foreign-located CVC exchanger in a high-risk jurisdiction lacking, or known to have inadequate, AML/CFT regulations for CVC entities.
• A customer receives CVC from an external wallet and immediately initiates multiple, rapid trades among multiple CVCs, especially AECs like Monero, with no apparent related purpose, followed by a transaction off the platform. This may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.
• A customer initiates a transfer of funds involving a mixing service.
• A customer uses an encrypted network (e.g., the onion router ) or an unidentified web portal to communicate with the recipient of the CVC transaction.

When circumstances warrant the filing of a SAR, the advisory is very specific about how fields on the SAR report should be filled out to ensure a that the enforcement agencies appreciate the connection between the suspicious activity being reported and ransomware-related activity. In particular, financial institutions should select SAR field 42 (cyber event) as the associated suspicious activity type, as well as select SAR field 42z (cyber event - other) while including “ransomware” as a keyword in SAR field 42z, to indicate a connection between the suspicious activity being reported and possible ransomware activity. Additionally, financial institutions should include any relevant technical cyber indicators related to the ransomware activity and associated transactions within the available structured cyber event indicator SAR fields 44(a)-(j), (z).

If you have any questions related to this guidance or issues associated with ransomware more broadly please feel free to contact the authors of this update.