FinCen released an updated advisory regarding ransomware and the use of the financial system to facilitate ransom payments.
This advisory comes in response to recent ransomware attacks against U.S. infrastructure, such as the May 2021 attack against Colonial Pipeline, and new trends associated with anonymity-enhanced cryptocurrencies (AECs) and decentralized mixers—a more automatic mixing process.
Ransomware is a form of malware (malicious software) in which perpetrators encrypt data on an individual’s or a business entities’ computer system and only decrypt the victim’s information in return for a ransom payment that is often used in terrorist financing. Sometimes, the perpetrator may blackmail users by threatening to release sensitive information they have gathered. Financial institutions play a major role in processing ransomware payments, usually under the form of convertible virtual currency (CVC) which uses “smurfing” and money laundering tactics to move the money. Digital Forensic and Incident Response (DFIR) teams, along with cyber insurance companies (CICs), may mitigate damages, deal with reimbursements, or negotiate with cybercriminals. On the other hand, they may also facilitate payments to the ransomware culprits.
Indicators of Potential Ransomware
- System log files, network traffic, or file information show malicious IT activity associated with ransomware cyber indicators.
- A customers’ CVC address is found to be connected with ransomware activity or a mixing service.
- The detection of an irregular transaction between an organization and a DFIR or CIC.
- A customer that has little history of CVC transactions makes a large transaction outside of the company’s business practice.
Classification of Ransomware Attacks
- Extortion Schemes: Perpetrators remove sensitive data and encrypt system files, then threaten to publish or sell the data if a ransom is not paid.
- Use of Anonymity-Enhanced Cryptocurrencies (AECs) and CVC Mixing Services: Ransom payments are usually made under the form of CVCs, like Bitcoin, or AECs, like Monero, to obfuscate the transaction. Cybercriminals may use mixers to further confuse the money trail by “breaking” the connection between the CVC sender and the receiver.
- Cashing Out Through Foreign CVC Exchanges: Cybercriminals may launder these funds through CVC exchanges that have lax regulations
- Partnerships Between Ransomware Criminals: Ransomware-as-a-service (RaaS) enables profit-sharing among criminals, with the RaaS developer receiving a share of the profits.
- Use of “Fileless” Ransomware: This form is difficult to identify because the malware is directly written into the computer’s memory, making it easier for hackers to avoid antivirus services.
- “Big Game Hunting” Schemes: Hackers target larger companies that are more likely to pay the ransom because they offer critical services.
Blowing the Whistle on Foreign Public Corruption
- A financial institution must file a Suspicious Activity Report (SAR) and may need to submit other Bank Secrecy Act (BSA) reporting requirements. A financial institution should also share information that may help identify ransomware schemes, and can remain protected from civil liability under the USA PATRIOT Act.
- If an individual has information regarding a possible ransomware scheme, they may be eligible for legal protections and rewards.
- If an individual has related information regarding money laundering techniques, they can report them under U.S. laws, like the Anti-Money Laundering Act, and be eligible for rewards.
Whistleblowers seeking legal advice may contact Kohn, Kohn & Colapinto for a consultation.
