The Threat of Ransomware for Financial Institutions: FinCEN Issues Red Flags

Terri Luttrell, CAMS-Audit
November 12, 2021
Read Time: min

Ransomware poses a significant threat to FIs.

In response to an increase in ransomware attacks, the latest FinCEN advisory shows the dynamic nature and criticality of ransomware threats.  

Would you like other articles like this in your inbox?

Cyber-attacks, and ransomware specifically, are the most significant threats to U.S. financial institutions. The June 2021 release of the Financial Crimes Enforcement Network (FinCEN) Priorities makes this clear in naming cybercrime as one of the eight national anti-money laundering and countering the financing of terrorism (AML/CTF) priorities.  On November 8, 2021, FinCEN issued a revised advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments.

Ransomware is a form of malicious software (malware) designed to block access to a computer system or data. It often encrypts data and prevents or limits users from accessing their system, either by locking the system's screen or locking the users' files until a ransom is paid. Usually, the ransom is a substantial amount of money or cryptocurrency. In some cases, the perpetrators threaten to publish sensitive information, with significant consequences to those being held ransom for losing sensitive, proprietary, or critical information.

In response to an increase in ransomware attacks, this updated FinCEN advisory rescinds the agency's previous advisory dated October 2020, showing the dynamic nature and criticality of ransomware threats.  According to FinCEN, "Detecting and reporting ransomware payments are vital to holding ransomware attackers." Recent ransomware disruptions to critical U.S. infrastructure industries include attacks on manufacturing, legal services, insurance, financial services, health care, energy, and food production sectors.

The advisory is full of important information for financial institutions, focusing on disrupting criminal ransomware actors. Processing ransomware payments includes at least one depository institution used in facilitating payments. Most transactions are requested in convertible virtual currency (CVC). After a ransom payment is made, the funds typically flow through a financial institution as a wire transfer, ACH transaction, or credit card payment. Monitoring this type of activity is where the keen eye of AML and fraud investigations professionals is crucial and where AML software can provide significant support.

 

Trends and Typologies

FinCEN lists the following trends and typologies for financial institutions to be aware of. While much of the cybercrime detected comes from simple techniques such as phishing, others are becoming more sophisticated and complex. Summarized examples of these typologies are as follows:

Double Extortion Schemes: Double extortion schemes involve removing sensitive data from the targeted networks, encrypting the system files, and demanding ransom. The cybercriminals then threaten to publish or sell the stolen data if the victim does not pay the ransom.

Use of Anonymity-Enhanced Cryptocurrencies (AECs): Cybercriminals increasingly require or incentivize victims to pay in AECs that reduce the transparency of CVC financial flows (rather than legitimized Bitcoin) through anonymizing features, such as mixing and cryptographic enhancements. One such AEC increasingly demanded by ransomware criminals is Monero.

Unregistered CVC Mixing Services: To protect their illicit gains, cybercriminals often use mixers to conceal their illegal activities. Mixers are used to "break" the connection between the sender and the receiver of the CVC transaction by commingling CVC belonging to other mixer users and splitting the value into many small pieces that pass through different accounts. This is a classic layering method using innovative technology.

Cashing Out Through Foreign CVC Exchanges: To launder and cash out their illicit proceeds, cybercriminals often use CVC exchanges that have lax compliance controls or that operate in jurisdictions with little regulatory oversight. Financial institutions should be particular attention to cryptocurrency payments through jurisdictions of concern. Cybercriminals may use these exchanges to convert "dirty" CVC to their preferred legal tender or fiat currency to integrate back into the financial system (integration).

Ransomware Criminals Forming Partnerships and Sharing Resources: Many cybercriminals engage in profit sharing through ransomware-as-a-service (RaaS), a business model in which ransomware developers sell or otherwise deliver ransomware software. RaaS allows cybercriminals of varying skill levels to monetize their illicit access. As part of the profit-sharing arrangement, the RaaS developer often receives a percentage of any ransom paid by the victim.

Use of "Fileless" Ransomware: Fileless ransomware is a sophisticated tool that can be challenging to detect because the malicious code is written to a computer's memory rather than into a file on a hard drive, which allows cybercriminals to circumvent off-the-shelf antivirus and malware defenses.

"Big Game Hunting" Schemes: Cybercriminals are increasingly engaging in selective targeting of larger enterprises to demand bigger payouts – commonly referred to as "big game hunting." Cybercriminals may target organizations with weaker security controls and a higher propensity to pay the ransom due to the criticality of their services. This may include community financial institutions and credit unions.

Financial Red Flag Indicators of Ransomware

When FinCEN issues advisories, financial institutions need to know what this means regarding their suspicious activity monitoring and reporting programs. FinCEN has identified the following financial red flag indicators of ransomware-related illicit activity that can be used in training front line staff as well as AML and fraud investigators:

 

  • A financial institution or its customer detects IT activity connected to ransomware cyber indicators or known cyber threat actors. Malicious cyber activity may be evident in system log files, network traffic, or file information.
  • When opening a new account or during other interactions with the financial institution, the customer provides information that payment is in response to a ransomware incident.
  • A customer's CVC address, or an address with which a customer conducts transactions, is connected to ransomware variants, payments, or related activity. These connections may appear in open sources searches.
  • An irregular transaction occurs between an organization, especially from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare) and a customer, especially one known to facilitate ransomware payments.
  • A customer receives funds from a counterparty, and shortly after receipt of funds sends equivalent amounts to a CVC exchange.
  • A customer shows limited knowledge of CVC during onboarding or via other interactions with the financial institution, yet inquires about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware.
  • A customer that has no – or a limited – history of CVC transactions sends a large CVC transaction, particularly when outside a company's standard business practices.
  • A customer that has not identified itself to the CVC exchanger or registered with FinCEN as a money transmitter appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB.
  • A customer uses a foreign-located CVC exchanger in a high-risk jurisdiction lacking or known to have inadequate AML/CFT regulations for CVC entities.
  • A customer receives CVC from an external wallet and immediately initiates multiple, rapid trades among multiple CVCs, especially AECs, with no apparent related purpose, followed by a transaction off the platform. This activity may indicate attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.
  • A customer initiates a transfer of funds involving a mixing service.
  • A customer uses an encrypted network (e.g., the onion router) or an unidentified web portal to communicate with the recipient of the CVC transaction.
Understand how the FinCEN priorities may impact your financial institution.
Learn More

How to File a SAR for Ransomware

These criminals must be held accountable for their crimes and prevent the laundering of ransomware proceeds. One method that financial institutions can assist law enforcement is using the 314(B) information sharing statute. This often-underutilized method of information exchange with safe harbor is critical to following the criminal activity in these complex schemes.

In addition to using 314(B) authority, FinCEN has asked that specific language be used when filing a suspicious activity report (SAR) for cyber events:

  • In SAR field 2 (Filing institution Note to FinCEN) and the narrative indicate that the activity could be indicative of a ransomware-related activity
  • Select SAR field 42 (Cyber Event) as the suspicious activity type
  • Also, select SAR field 42z (Cyber Event-Other) as an additional suspicious activity type while using the keyword "ransomware" in this field
  • Include relevant technical cyber indicators related to the activity or transactions in SAR fields 44(a)-(j), (z).
  • Include the critical term "CYBER FIN-2021-A004" in the SAR narrative

As a FinCrime professional, it is incumbent upon you to stay in touch with the spectrum of criminal activity in your surrounding areas.  Staying current with these FinCEN Priorities is a good foundation but should not be the only knowledge gathering you do. Thankfully, the AML and fraud industries have extensive opportunities for professionals to learn about these schemes. It is highly recommended that your financial institution takes advantage of those occasions.

About the Author

Terri Luttrell, CAMS-Audit

Compliance and Engagement Director
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.

 

Looking for Banker’s Toolbox? You are in the Right Place!

Banker’s Toolbox is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to Banker’s Toolbox Community Online.

Make yourself at home!