Twin US advisories warn ransomware payments could fall foul of sanctions and AML rules

Viewpoints
October 2, 2020
3 minutes

On the first day of October, which is National Cybersecurity Awareness Month, the US sanctions and anti-money laundering regulators - the Office of Foreign Assets Control and Financial Crimes Enforcement Network - each issued an advisory "to assist U.S. individuals and businesses in efforts to combat ransomware scams and attacks."

OFAC's advisory on "Sanctions Risks for Facilitating Ransomware Payments" outlines the potential sanctions risks in making or facilitating ransomware payments on behalf of victims.

FinCen's advisory on "Ransomware and the Use of the Financial System to Facilitate Ransom Payments" sets out the role of financial intermediaries in processing such payments and provides guidance for identifying and reporting ransomware attacks. 

According to the advisories, "Ransomware is a form of malicious software ('malware') designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data."

Sanctions Risks

In recent years ransomware has been used by criminal organizations or sanctioned individuals and entities (for example the WannaCry 2.0 attacks, associated with a North Korean cybercriminal organization) to raise funds for their illicit activities. OFAC has also specifically designated persons under its cyber-related sanctions programs. These sanctions programs also allow for sanctions against those who "materially assist, sponsor, or provide financial, material, or technological support for" such activities. 

The advisory puts financial institutions and companies on alert that facilitating ransomware payments on behalf of victims could violate prohibitions on dealings with sanctioned persons or countries. OFAC points to its recent Sanctions Enforcement Guidelines, encouraging financial institutions and companies to "implement a risk-based compliance program to mitigate exposure" to sanctions risks, including "companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses (MSBs))."

AML Risks

According to FinCen, many ransomware schemes involve convertible virtual currency (CVC), which it describes as the preferred payment method for cybercriminals.  Processing payments "typically" involves multiple steps and actors in the payment chain - a depository institution, CVC exchange, and one or more MSBs. The victim will typically purchase CVC from the exchange specified by the criminal, using wire transfer, ACH or credit card payments. The criminal will then seek to "wash" the funds using mixers/tumblers and further converting the funds to other CVCs or through peer-to-peer exchangers.  Sometimes specialized companies help victims by facilitating the ransomware payments using their own bank account or CVC wallet.

FinCen reminds financial institutions that they have an obligation to seek to identify and report suspicious activity, including ransom payments made "by, at, or through" financial institutions.  The advisory sets out relevant cyber-related information that FIs should seek to include in any such SARs.

Red flags of Ransomware and Associated Payments include:

  •  indicators in system log files, network traffic or file information
  •  customer discloses relationship to ransomware incident
  •  CVC address or beneficiary information is associated with ransomware activity according to public or government analyses
  •  organization with no history with CVC sends large payment to CVC exchanger, particularly in sectors at high risk for ransomware attacks (e.g. government, financial, educational, healthcare)
  •  funds transferred out of account quickly after receipt and sent to CVC exchange
  •  customer uses CVC exchanger in high-risk jurisdiction
  • multiple CVC trades with no apparent purpose

Conclusion

Although technically non-binding, these advisories put financial institutions in particular on notice that they must be aware of the methods cybercriminals use to perpetrate ransomware attacks, including to pay attention to "open sources, or commercial or government analyses" of cyberactivity.

Companies involved in protection and mitigation services and FIs alike must also implement controls to mitigate the risk of dealing sanctioned persons or countries in making or facilitating ransomware payments. 

FinCen previously issued guidance on cybercrime enabled by the COVID-19 pandemic, see further information here.