WASHINGTON–A new advisory from FinCEN addresses the growing use of anonymity-enhanced cryptocurrencies (AECs) used in ransomware schemes and the ways that perpetrators launder ransomware proceeds.
The updated information from FinCEN, a unit of the Treasury Department, reflects information from the agency’s Oct. 15 Financial Trend Analysis Report, the agency said. According to FinCEN, the new “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” seeks to address the role of financial intermediaries in ransomware schemes, trends and typologies of ransomware and associated payments, recent examples of ransomware attacks, and financial “red flag” indicators of such activity.
The advisory states “trends and typologies” include extortion schemes, the proliferating use of anonymity-enhanced cryptocurrencies (AECs); use unregistered convertible virtual currency (CVC) “mixing” services (which FinCEN explained is a mechanism used to launder ransomware proceeds), cashing out through foreign CVC exchanges; collaboration and partnerships among ransomware criminals, and other issues.
‘Consider the Facts’
In addition, the advisory includes a description of 12 financial red-flag indicators of ransomware-related illicit activity, which FinCEN said is aimed at assisting financial institutions in detecting, preventing, and reporting suspicious transactions associated with ransomware attacks.
“As no single financial red flag indicator is indicative of illicit or suspicious activity, financial institutions should consider the relevant facts and circumstances of each transaction, in keeping with their risk-based approach to compliance,” FinCEN said.
The Red Flags
According to FinCEN, the red flag indicators include:
- A financial institution or its customer/member detects IT enterprise activity that is connected to ransomware cyber indicators or known cyber threat actors. Malicious cyber activity may be evident in system log files, network traffic, or file information.
- When opening a new account or during other interactions with the financial institution, a customer/member provides information that a payment is in response to a ransomware incident.
- A customer’s/member’s CVC address, or an address with which a customer conducts transactions is connected to ransomware variants or related activity. These connections may appear in open sources or commercial or government analyses, FinCEN said.
- An irregular transaction occurs between an organization, especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare) and a digital forensic and incident response (DFIR) company or cyber insurance company (CIC), especially one known to facilitate ransomware payments.
- A DFIR or CIC customer/member receives funds from a counterparty and shortly after receipt of funds sends equivalent amounts to a CVC exchange.
- A customer/member shows limited knowledge of CVC during onboarding or via other interactions with the financial institution, yet inquires about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer/member is a victim of ransomware.
- A customer /member who has no or limited history of CVC transactions sends a large CVC transaction, particularly when outside a company’s normal business practices.
- A customer/member that has not identified itself to the CVC exchanger, or registered with FinCEN as a money transmitter, appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer/member is acting as an unregistered money services business (MSB).
- A customer/member uses a foreign-located CVC exchanger in a high-risk jurisdiction lacking, or known to have inadequate, anti-money laundering/countering financing of terrorism (AML/CFT) regulations for CVC entities.
- A customer/member receives CVC from an external wallet, and immediately initiates multiple, rapid trades among multiple CVCs, especially AECs, with no apparent related purpose, followed by a transaction off the platform. “This may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction,” FinCEN said.
- A customer/member initiates a transfer of funds involving a mixing service.
- A customer/member uses an encrypted network (e.g., the onion router) or an unidentified web portal to communicate with the recipient of the CVC transaction.