Red Flag Indicators For Ransomware Payments
In November 2021, the US Treasury announced a new set of sanctions against criminal ransomware actors, including Chatex, a virtual currency exchange, and three supporters. This is a clear indication that the Treasury will use all of the tools at its disposal to identify and act against any party involved with or supporting those facilitating ransomware payments. The announcement included an update to FinCEN's (The Financial Crimes Enforcement Network) 2020 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments to include red flags related to ransomware.
Sanctions Risks And Ransomware
Ransomware is a malware attack that prevents or limits users from accessing their systems until a ransom is paid. These ransomware payments put financial institutions at significant risk of incurring civil OFAC penalties as it is increasingly difficult to accurately identify who is receiving the payment. Malicious threat actors that have been sanctioned may disband and reappear with new names and updated tools, and non-sanctioned hackers may use ransomware tools developed by sanctioned parties to circumvent screening procedures.
While organizations like OFAC consider the difficulties, they require obligated parties to enforce a robust sanctions compliance program. The thoroughness of this program and the due diligence steps taken by the offending company may determine whether OFAC issues a penalty, or warning or takes no action if a ransomware payment is inadvertently accepted.
Financial institutions are often informed of ransomware incidents long after a decision to pay has been made. Even if a bank flags a ransomware payment, it may not have many details about the incident or the attacks. Clients who have already decided that their best course of action is to make payment and restore operations may not be forthcoming about information either. Their best defence is to know and recognize the red flags of a possible ransomware payment.
The Red Flag Indicators for Ransomware Payments
FinCEN has identified several financial red flags that may indicate ransomware-related activity.
1. Transfers that involve a mixing service
Mixers or mixing services are websites designed to conceal the source or owner of a virtual currency. Russia’s Hydra market came into sharp focus following the Ukrainian invasion. This service offers mixing services that effectively allowed Russian companies to trade and receive crypto assets without detection.
2. The use of encrypted portals
Encrypted communications such as TOR or unidentified web portals may indicate that a ransomware attack has taken place.
3. Evidence of malicious cyber activity
It may be possible to detect malicious cyber activity in system log files, file information or network traffic from the ransomware victim.
4. Customer declaration
A client may disclose to the financial institution that a payment is being made in response to a ransomware incident, either when opening a new account or during the course of normal operations.
5. Suspicious CVC addresses
Customers’ CVC (Convertible Virtual Currency) addresses or other information may appear on a commercial or government list indicating that the address has been linked to ransomware or related activity.
7. Suspicious transactions
If a transaction occurs between an organisation (particularly one that is of the industry at high risk of being targeted by ransomware attackers, e.g. governmental, financial, healthcare), and a DFIR or CIC customer may be cause for concern, especially if the customer sends the funds to a CVC exchange shortly after receiving the funds.
8. Lack of knowledge
If a customer shows interest or enquiries about CVC purchases (especially in a large amount or as a rush request) but demonstrates very limited knowledge about CVCs, it may indicate that they are victims of a ransomware attack.
9. Large/multiple CVC transactions out of the norm
If a company that has no or very limited history of CVC transactions suddenly sends a large CVC transaction outside of expected/normal business practices should raise a red flag. Similarly, if a customer who has not identified themselves to the CVC exchanger or who is not registered with FinCEN as a money transmitter is using the exchange to offset transactions between various CVCs may indicate that they are acting as an unregistered money service business.
10. Using exchanges/foreign MSBs in high-risk areas.
If customers use a CVC exchange or foreign MSB located in a high-risk jurisdiction with inadequate AML/CFT regulations for CVC companies. If the customer initiates several rapid trades between multiple CVCs they may be attempting to break the chain of custody across blockchains.
Filing a SAR
If a financial institution has cause to believe that an incident of ransomware has occurred and that the victim is attempting to make a ransom payment through their system, they are required to file a Suspicious Activity Report (SAR). The monetary threshold for filing MSB-related SARs is set at or above $2000 and reportable activity may include transactions related to criminal activity including unauthorised electronic intrusion or extortion. This applies to both attempted and successful extortion transactions. It’s important to provide as much information as possible, including IP addresses, email addresses, login information, virtual currency wallet addresses and descriptions of suspicious email communications.
Other Considerations
Financial institutions have an important role to play in combating ransomware and other malicious cyber attacks. As part of their ongoing commitment to AML/CFT compliance, these institutions are obligated to:
- Adopt robust sanctions and cybersecurity compliance programs, that include internal controls, training, risk assessment and auditing and testing.
- Prioritise attribution, especially for software-as-service organisations. The more information a company can gather about their clients, the more capable they are of assessing the risk associated with that client and conducting sanctions screening.
- Insist that external parties adhere to requirements. Where appropriate, ransom negotiators, insurers and financial institutions must receive prompt notice of the potential that payment may be made so that due diligence processes can be followed.
- Transparency. If an investigation is triggered, transparency with law enforcement and other parties is critically important.
Conclusion
It would be exceptionally difficult for financial institutions to detect every ransomware payment that passes through their system. Criminals are becoming more sophisticated and expert in their ability to disguise their identities. However, if a ransomware payment does slip through, companies need to prove that they have taken every possible precaution to prevent ransomware payments from being processed through their organization. Robust customer due diligence processes and automated screening software can help businesses remain compliant with minimal intrusion and at a minimal cost. If you would like to know more, please reach out to our sanctions.io team for more information or an obligation-free demo.