Cryptocurrency and Ransomware: A Dangerous Combination

FinCEN and OFAC release new information regarding banks’ vulnerability to ransomware attacks.

It’s hardly shocking that increased use and recognition of cryptocurrency is creating new opportunities and challenges for banks. But what might surprise you is exactly how the emergence of virtual currency is leaving financial institutions more vulnerable to an all-too-common problem: Ransomware.

According to the Financial Crimes Enforcement Network (FinCEN), the total U.S.-dollar value of ransomware-related transactions reported during the first half of 2021 exceeded that from all last year, and any year since 2011. FinCEN recently announced that the agency received $590 million in ransomware-related suspicious activity reports (SARs) during that six-month period, a 42% increase from 2020. And in an overwhelming number of the cases, the cyber criminals demanded their ransoms in Bitcoin to provide an added layer of anonymity.

The reason for this online crime wave is three-fold: First, ransomware is becoming easier to deploy, with ready-made ransomware kits available of the Dark Web, eliminating the need for technical expertise. Second, ransomware gangs have adopted new extortion tactics to increase incentive to pay, including encrypting the victim’s data and threatening to publish it if the ransom is not met. Third, and most relevant to this discussion, attacks on small municipalities and organizations have spiked because of the perception of weaker security controls making them easy prey.

OFAC/BSA/AML Risk

This is where banks come in. Financial institutions are constantly trying to stay ahead of cyber criminals and keep pace with government regulations to protect their information systems and their customers’ vital personal data. A recent release from the Office of Foreign Assets Control (OFAC) is a reminder that the Government intends to hold liable any party subject to U.S. jurisdiction, even if they didn’t know or have reason to know that they were engaging in a prohibited transaction. That means if one of your customers is a victim of ransomware, and they fund a crypto wallet through an account at your bank to meet the ransom payment, your institution becomes part of the payment chain and might face civil or even criminal penalties.

Credit Quality Risk

Has your bank considered the credit quality risk that would result from a ransomware attack against one of your largest commercial borrowers? Your IT staff should be thinking about cyber-attacks and the security of your bank. At the same time, your lenders work to manage traditional credit risk of the borrowers. But who is thinking about these risks from a whole-bank perspective? It’s evolving risks such as these that require new ways of thinking about risk.

Have Questions? Contact us at Solutions@BankOnITUSA.com.

10 Financial Red-Flag Indicators Of Ransomware & Associated Payments

FinCEN has identified the 10 following financial red-flag indicators to assist financial institutions in detecting, preventing, and reporting suspicious transactions associated with ransomware attacks:

1. IT enterprise activity is connected to cyber indicators that have been associated with possible ransomware activity or known cyber-threat actors. Malicious cyber activity may be evident in system log files, network traffic, or file information.
2. When opening a new account or during other interactions, a customer provides information that a payment is in response to a ransomware incident.
3. A customer’s CVC address, or an address with which a customer conducts transactions, appears on open sources; or commercial or government analyses have linked those addresses to ransomware strains, payments, or related activity.
4. A transaction occurs between an organization — especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare) — and a DFIR or CIC, especially one known to facilitate ransomware payments.
5. A DFIR or CIC customer receives funds from a customer company and shortly after receipt of funds sends equivalent amounts to a CVC exchange.
6. A customer shows limited knowledge of CVC during onboarding or via other interactions with the financial institution, yet they inquire about or purchase CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware.
7. A DFIR, CIC, or other company that has little or no history of CVC transactions sends a large CVC transaction — particularly if it’s outside a company’s normal business practices.
8. A customer that has neither identified itself to the CVC exchanger, nor registered with FinCEN as a money transmitter, appears to be using the liquidity provided by the exchange to execute a large number of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB.
9. A customer uses a CVC exchanger or foreign-located MSB in a high-risk jurisdiction lacking or known to have inadequate AML/CFT regulations for CVC entities.
10. A customer initiates multiple rapid trades between multiple CVCs — especially AECs —with no apparent related purpose, which may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.