A recent Financial Action Task Force report on countering ransomware finance has spotlighted the methods used by cyber-extortionists to launch their attacks, indicators of victim payment flows, and the laundering techniques favored by threat actors.
The anti-money-laundering (AML) watchdog notes that a “ransomware attack is a form of extortion and the FATF Standards require that it be criminalised as a predicate offence for money laundering,” according to the report. FATF’s advisory comes amidst reports that victims paid at least $456.8 million to ransomware actors last year, a meaningful drop from the $765.6 million transferred to cyber-extortion gangs in 2021, according to crypto forensics firm Chainalysis.
Given the extent to which ransomware attacks go undisclosed and unreported by victims, however, Resecurity assesses that the total extortion payouts (2022) could be significantly bigger. Additionally, while overall total identified ransomware incidents and payouts may be down for 2022, not all sectors are equal. For example, Resecurity noted an 87% year-over-year jump in ransomware attacks targeting the industrial sector in 2022 specifically.
Another key development immediately preceding the FATF report is the March publication of the White House’s 2023 National Cybersecurity Strategy, which cites the “defeat” of ransomware as a key strategic objective. In the strategy document, the White House notes that their approach to vanquishing the crypto-extortion threat will specifically target “exchanges on which ransomware operators rely and improving international implementation of standards for combatting virtual asset illicit finance.”
The targeting of crypto exchanges vital to the ransom ecosystem is a strategy that has been leveraged by the U.S. for the last six years, beginning with the takedown of BTC-e in 2017, followed by the issuing of sanctions against Chatex and Suex in 2021, and most recently, the law enforcement operation against Bizlato this year.
The common thread linking all of these rogue virtual asset service providers (VASPs) together, apart from their popularity with ransomware gangs is that they were all operated by foreign nationals. In this backdrop, increasingly strained by the ongoing geopolitical tensions, the FATF report “proposes a number of actions that countries can take to more effectively disrupt ransomware-related money laundering.”
Key Measures and Indicators
Key ransom AML measures cited by FATF include “building on and leveraging existing international cooperation mechanisms” and greater upskilling and technological investment for and from authorities that will enable them to quickly “trace the nearly instantaneous financial transactions and recover virtual assets before they dissipate.”
FATF also advises that incident responders and investigators should pursue greater collaboration with cybersecurity and data protection agencies. While the rate at which victims pay ransoms has dropped markedly over the last four years, FATF notes that “industry estimates report up to a fourfold increase in ransomware payments in 2020 and 2021, compared to 2019.”
FATF also said that “new techniques have increased the profitability of attacks and the likelihood of success” for ransomware actors. The watchdog points to the heightened targeting of “large, high-value entities” and threat actors franchising their malign locker tech via the ransomware- as- a-service (RaaS) model, where adversaries sell their toolkits to affiliates.
Not surprisingly, FATF also found that “payments and subsequent laundering of ransomware proceeds are almost exclusively conducted through virtual assets.” Threat actors further obfuscate their illicit ransomware proceeds by using “using anonymity-enhancing technologies, techniques, and tokens in the laundering process, such as anonymity enhanced cryptocurrencies and mixers,” according to FATF.
FATF outlines three risk indicator categories for financial institutions (FIs) and VASPs to screen account activity for signs of ransomware funding. The first section highlights red flags for banks, other FIs, and payment firms identifying payments from ransomware victims. The second section outlines risk indicators for VASPs identifying ransomware victim payments. And the third category of risk identifiers assists VASPs in uncovering crypto wallets being operated by ransomware operators.
Beyond mitigating the risk of ransomware-related laundering, this compendium of potential extortion payment indicators is vital for FIs and VASPs looking to navigate sanctions risk more intelligently. While paying crypto ransoms to RaaS gangs is not necessarily illegal on its own, the prospect of facilitating payments to entities sanctioned by the Treasury’s Office of Foreign Asset Control introduces significant regulatory risk to FIs and VASPs.
OFAC’s complex and perpetually growing list of sanctioned entities, a list that has been vastly expanded in retaliation for the ongoing tragic events in Ukraine, has further complicated the risk calculus for ransomware victims. FATF’s red flags can at least equip FIs and VASPs with better risk indicators of potential ransomware payment activity to preempt and mitigate any regulatory fallout for facilitating ransom payouts.
Some of the more interesting red flags highlighted in the first section involve payments to third parties like “cybersecurity consulting or incident response firms that specialize in ransomware remediation,” according to FATF. The watchdog also cited “incoming wire transfers from insurance companies that specialize in ransomware remediation.”
FIs and payment firms should also be on high alert for a high volume of transactions from the same bank account to multiple accounts at a VASP, according to FATF. This payment activity could be indicative of a victim’s attempt to structure ransom pay outs in a way that conceals the actual nature and purpose of the virtual-asset-related transfers.
For VASPs attempting to identify potential extortion payments made by victims, FATF notably highlights the “request to buy virtual assets by an incident response firm or insurance company on behalf of a third party” as a key indicator of suspicious activity.
In terms of identifying laundering-related transactions initiated by ransomware operators, the most interesting red flags cited by FATF were minimal account activity or complete account dormancy following an “initial large virtual asset transfer,” an “immediate withdrawal after converting funds to virtual assets,” and instances where account-holder “verification information is a photograph of data on a computer screen or has a file name containing “WhatsApp image” or similar.”
While the indicators highlighted above were just a fraction of all the ransomware payment and laundering red flags cited by FATF, they were the most evolved tells of extortion-related activity, in Resecurity’s view. For FIs, VASPs, and payment firms the real value of this FATF advisory is the spotlight placed on third-party incident response and cyber-insurance firms.
Specifically, the FATF advisory highlights how these specialist firms’ interactions with a customer account at a VASP or FI or potentially their own account activity at a covered entity could be indicative of a ransomware-related payment stream. Given the emphasis on third parties, VASPs, FIs, and payment firms need to enhance their Know Your Business (KYB) capabilities to better identify organizations that specialize in ransomware incident response and cyber-insurance coverage.
Beyond the steps VASPs and financial firms can take to mitigate their exposure to ransomware AML and sanctions-related risks, is FATF’s broader recommendation for national oversight frameworks. For example, FATF cites the “importance of accelerating the implementation of FATF Recommendation 15, which requires jurisdictions to put in place measures to mitigate risks linked to virtual assets and to regulate” the VASP sector, according to the report.
This regulatory reform includes the implementation of FATF’s Travel Rule, which mandates that countries treat all crypto-asset transactions as cross-border wire transfers. This means VASPs must obtain, hold, and exchange accurate beneficiary and originator information. Specifically, FATF mandates that VASPs must collect and exchange accurate personally identifiable information (PII) about senders and receivers of crypto-asset transfers once they go over a certain limit, which may vary by jurisdiction or country.
Ultimately, however, the ongoing global conflicts have disrupted and redefined the OFAC sanctions risk landscape. This geopolitical and geo-economic rupture has compounded ransomware-related risk exposures for FIs, VASPs, and payment firms. While sanctioned ransomware groups have also been flagged in Iran and North Korea, groups originating from Eastern Europe remain the most significant threat to FIs and VASPs.
With monetary penalties for violating OFAC sanctions approaching up to $1 million and/or up to 20 years in prison per violation, depending on the willfulness and recklessness of the violation, the deliberate concealment of payment, and other aggravating factors, FIs and VASPs must arm themselves with the best ransomware intelligence available.
Resecurity’s threat intelligence team can help FIs and VASPs better identify ransomware payment flows compromised by OFAC-related risks to mitigate their potential exposure to regulatory enforcement actions, civil and otherwise. Regardless, the FATF advisory is a good reminder that a trusted business customer’s account activity and transactional counterparties can be better indicators of ransomware-related payment streams than any comment a victim organization might want to make about a potential incident in public.