On October 1, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a press release pointing to its published advisory titled Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments. FinCEN’s press release additionally pointed to a parallel advisory from the Treasury Department’s Office of Foreign Assets Control (OFAC) titled Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. Both advisories warn of the growing threat of ransomware to U.S. business and individuals, describe recent trends in that area of digital crime, and point to the needs for proper safeguards and reporting, especially in light of potential violations of sanctions rulings.
Ransomware is defined as malicious software (malware) used to block access to data or systems, often by encrypting resources in exchange for payment of ransom. It often includes the exfiltration of sensitive material, along with the threat of publication and exposure if demands are not met. Payments typically are multi-step processes involving multiple financial institutions, including money service businesses (MSBs), depository institutions, and those involved with convertible virtual currencies (e.g., bitcoin). As cited in the OFAC advisory, between 2018 and 2019 ransomware attacks increased 37% and losses increased 147%, and have also significantly increased during the COVID-19 pandemic.
Increased Sophistication of Ransomware Attacks
The FinCEN advisory points to an increase in the sophistication of recent ransomware operations, including:
- Big game hunting – The targeting of large financial institutions in the hopes of large payouts
- Ransomware partnerships – The sharing of resources between ransomware groups, including the development and publication of ready-made tools
- Double extortion – The act of illegal encryption coupled with the threat of publication of sensitive data
- Use of anonymity-enhanced currencies (AECs) – The use of virtual currencies that further anonymize transactions via the use of cryptographic enhancements
- Fileless ransomware – The use of malware that is written directly into computer memory and is harder to detect
Red Flags of Ransomware Payments
In addition to pointing to the need for protection against attacks (e.g., via phishing prevention, malware detection tools, etc.), the FinCEN advisory points to financial red flags indicators useful in detecting, preventing, and reporting ransomware-related illicit activity. While not directly indicating ransomware payment, these activities are cause for concern and further investigation. They include:
- Evidence of malware in system log files, network traffic, or file information
- Direct mention of ransomware when a new account is being opened
- Linking of convertible virtual currency (CVC) addresses to those known to be associated with ransomware
- Transactions between high-risk sectors (e.g., governmental, financial) and digital forensics and incident response (DFIR) firms or cyberinsurance companies (CICs)
- Transactions of equivalent sums between DFIRs/CICs and CVC exchangers
- CVC transactions involving customers with little prior understanding of CVC, or with a customer who has not registered as an MSB
- CVC exchanges in high risk, foreign, unregulated jurisdictions
- Rapid CVC exchanges with multiple CVCs, with no apparent related purpose
Suspicious Activity Reporting
The FinCEN advisory stresses the obligation of financial institutions to file a suspicious activity report (SAR) for ransomware incidents conducted by, at, or through the financial institution. SARs are required for both attempted and successful transactions. They should include complete and accurate reporting of all relevant information. Copies of filed reports should be maintained for five years from the date of filing. Additional filing details are provided in the body of the advisory.
Ransomware and Sanctions
The OFAC advisory points to the connection of ransomware with multiple individuals and organizations who are currently under U.S. sanctions. For example, the developers and perpetrators of the recent Cryptolocker, SamSam, WannaCry, Dridex, and other attacks are currently under sanctions, and U.S. persons are prohibited from engaging in transactions with them. As such, payment of ransomware to cybercriminals, in addition to emboldening future attacks and threating national security, additionally involves the risk of violating sanctions compliance.
The advisory indicates that OFAC may impose civil penalties for sanctions violations, based on strict liability. Thus, payment of a ransom to individuals or entities on the sanctions list is punishable, even if the victim did not know of the sanction.
OFAC has further indicated that the existence and quality of a firm’s sanctions compliance program will be taken into account if penalties will be assessed. Additionally, a firms’s self-initiated, timely, and cooperative self-reporting to proper authorities of ransomware incidents and payments will likewise be taken into consideration.
The FinCEN and OFAC advisories point to the increasing threat of ransomware against financial services and other firms. In addition to the rise in frequency, impact, and sophistication of these attacks, the threat of regulatory violations stemming from the payment of ransom fees (e.g., from not filing SARs or from violating sanctions) is an additional factor that must be considered.
ACA Aponix recommends a close reading of the FINRA and OFAC advisories, and an implementation of recommended protections and reporting strategies those reports detail.
Additionally, ACA Aponix recommends strengthening internal efforts at protection from ransomware, including:
- Performing a cybersecurity risk assessment, in which potential areas of risk are located, and controls are subsequently detailed.
- Testing network vulnerability with internal and external penetration testing.
- Incorporating potential cybersecurity events in all emergency preparation planning and documentation, including defining an incident response plan in which potential ransomware events are described, and recommended actions are delineated.
- Implementing a regular backup policy, as well as testing the policy and its use in potential data recovery.
- Implementing a continuing user training program, focused on prevention of phishing, spearphishing, and other forms of social engineering.
How We Help
ACA Aponix offers the following solutions that can help your firm meet SEC regulatory requirements related to cybersecurity, and enhance cybersecurity in general:.
- Cybersecurity and technology risk assessments
- Penetration testing and vulnerability assessments
- Phishing testing and cyber awareness
- Policies, procedures, and governance
- Cyber incident response planning
- Threat intelligence
ACA also works with financial institutions in the securities industry to ensure they meet the requirements of applicable OFAC and AML regulations and industry best practices, including the establishment of risk-based, tailored OFAC Sanctions and AML compliance programs.
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.