FinCEN has issued a new Advisory on Ransomware that expands on its previous report on ransomware trends.

The Financial Crimes Enforcement Network (FinCEN) is responsible under the Bank Secrecy Act to develop for banks, financial institutions and money transmitting businesses.   It plays the leading role under the Bank Secrecy Act in developing U.S. strategy to prevent money laundering.

This latest advisory from FinCEN responds to the increase of ransomware attacks in recent months.  These attacks have struck critical U.S. infrastructure, such as the May 2021 ransomware attack that disrupted the operations of Colonial Pipeline.  Colonial Pipeline is the largest pipeline system for refined oil products in the United States. The attack led to widespread gasoline shortages that affected millions in the U.S.  Other recent targets include entities in the manufacturing, legal services, insurance, financial services, health care, energy, and food production sectors.

The FinCEN advisory provides twelve “red flags” that should alert financial institutions to potential ransomware attacks.

FinCEN Targets Financial Intermediaries Facilitating Ransomware Payments

The advisory reports that ransomware attacks are a growing concern for the financial sector because of the critical role financial institutions play in the collection of ransom payments.  Without financial institutions to process ransomware payments, the attacks cannot succeed.

Most ransomware attacks are a multi-step process that require at least one depository institution and one or more entities directly or indirectly facilitating victim payments, including money services businesses (MSB). Most ransomware schemes involve convertible virtual currency (CVC), the preferred
payment method of ransomware perpetrators.

Following the delivery of the ransom demand, a ransomware victim will typically transmit funds via wire transfer, automated clearinghouse, or credit card payment to a CVC exchange to purchase the type and amount of CVC specified by the ransomware perpetrator. Next, the victim or an entity working on the victim’s behalf sends the CVC, often from a wallet hosted at the exchange, to the perpetrator’s designated account or CVC address.

The perpetrator then launders the funds through various means — including mixers, tumblers, and chain hopping — to convert funds into other CVCs. These transactions may be structured into smaller “smurfing” transactions involving multiple people, and across many different CVC addresses, accounts, and exchanges, including peer-to-peer (P2P)10 and nested exchanges. Criminals prefer to launder their ransomware proceeds in jurisdictions with weak antimoney laundering and countering financing of terrorism (AML/CFT) controls.

Red Flag Indicators of Ransomware Attacks

  1. A financial institution or its customer detects IT enterprise activity that is connected to
    ransomware cyber indicators or known cyber threat actors.
  2. When opening a new account or during other interactions with the financial institution, a
    customer provides information that a payment is in response to a ransomware incident.
  3. A customer’s CVC address, or an address with which a customer conducts transactions is
    connected to ransomware variants, payments, or related activity.
  4. An irregular transaction occurs between an organization, especially an organization from
    a sector at high risk for targeting by ransomware (e.g., government, financial, educational,
    healthcare) and a DFIR or CIC, especially one known to facilitate ransomware payments
  5. A DFIR or CIC customer receives funds from a counterparty and shortly after receipt of funds
    sends equivalent amounts to a CVC exchange.
  6. A customer shows limited knowledge of CVC during onboarding or via other interactions
    with the financial institution, yet inquires about or purchases CVC.
  7. A customer that has no or limited history of CVC transactions sends a large CVC transaction,
    particularly when outside a company’s normal business practices.
  8. A customer that has not identified itself to the CVC exchanger, or registered with FinCEN as
    a money transmitter, appears to be using the liquidity provided by the exchange to execute
    large numbers of offsetting transactions between various CVCs.
  9. A customer uses a foreign-located CVC exchanger in a high-risk jurisdiction lacking, or
    known to have inadequate, AML/CFT regulations for CVC entities.
  10. A customer receives CVC from an external wallet, and immediately initiates multiple, rapid
    trades among multiple CVCs.
  11. A customer initiates a transfer of funds involving a mixing service.
  12. A customer uses an encrypted network (e.g., the onion router) or an unidentified web portal
    to communicate with the recipient of the CVC transaction.