Financial institutions must keep up with evolving ransomware activity – Technology

To print this article, all you need to do is be registered or log in to

The authors of this article discuss an updated Financial Crimes Enforcement Network advisory on ransomware and the use of the financial system to facilitate ransom payments, which highlights the need for financial institutions to be wary of signs that their clients attempt to make or receive ransomware. Payments.

The Financial Crimes Enforcement Network (“FinCEN”) has released an updated version of its advisory on ransomware and the use of the financial system to facilitate ransom payments (the “advisory”).1 The advisory stresses that financial institutions should be alert to signs that their customers are attempting to make or receive ransomware payments, even as the logistics of ransomware activity become increasingly complicated.


The updated advisory, which replaces FinCEN’s Oct. 1, 2020 advisory of the same name, comes amid growing ransomware attacks against U.S. institutions and infrastructure and a growing response from government as the Biden administration pursues its “whole of government approach”. ” ransomware approach.2

On the same day that FinCEN issued its notice, the US Treasury Department announced that its Office of Foreign Assets Control (“OFAC”) had sanctioned two ransomware operators, a Ukrainian citizen and a Russian citizen, and the currency exchange Virtual Chatex for their respective roles in ransomware operations.3

In a similar vein, the Department of Justice (“DOJ”) announced the creation of a National Cryptocurrency Enforcement Team “to tackle the complex investigations and prosecutions of criminal cryptocurrency abuses. -currency, in particular crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors.” The DOJ said the team will also help track down and recover assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups.4


FinCEN’s advisory makes it clear that although most cybercriminals require ransomware payments to be made in convertible virtual currencies (“CVC”) (e.g. Bitcoin),5 almost every ransomware payment will involve the use of at least one depository institution as an intermediary. Financial institutions are therefore able to play a central role in identifying and reporting ransomware attacks and assisting law enforcement in the fight against ransomware.6

To encourage and facilitate effective action by financial institutions, FinCEN has identified four types of “red flag” ransomware that financial institutions should be aware of.

1. Unprecedented CVC transactions

Financial institutions should be alert to circumstances where (1) a client has little or no CVC transaction history and then transfers funds to a CVC exchange, or (2) a client shows little knowledge of CVC but inquires or purchases HVAC, especially in large quantities or by urgent requests.

Additionally, financial institutions should note each time a customer provides information that a payment is in response to a ransomware incident.

2. Transactions Involving Digital Forensics Response Companies or Cybersecurity Underwriters

Digital Forensic Incident Response (“DFIR”) companies frequently help ransomware victims respond to ransomware attacks; these companies can also help facilitate payment for the ransomware by taking the victim’s money, converting it into CVC, and then transferring the CVC to the attacker.7

Cybersecurity liability insurance (“CIC”) companies also often play a role in ransomware transactions, reimbursing policyholders for remediation efforts, including the use of a DFIR company.

Financial institutions should be alert to any instance in which an organization sends an irregular transaction to a DFIR or CIC, particularly if the DFIR is known to facilitate ransomware payments and especially if the organization is in a sensitive industry. high risk of ransomware attacks (e.g. government, finance, education, healthcare, etc.). Similarly, financial institutions should monitor transactions where a DFIR or CIC client receives funds from a counterparty and then promptly sends an equivalent amount to a CVC exchange.

3. Suspicious CVC Transactions

A financial institution should be alert to signs that a customer is:

  • Use an encrypted network (e.g. Tor) to communicate with the recipient of the CVC transaction;

  • Using a CVC exchange based in a foreign country, especially in a high-risk jurisdiction that lacks adequate anti-money laundering (“AML”)/anti-terrorist financing (“CFT”) regulations;

  • Initiate a funds transfer using a mixing service;8

  • Receiving a CVC, then initiating multiple quick trades across multiple CVCs (especially CVCs with enhanced anonymity features) with no apparent purpose, followed by an out-of-platform trade; Where

  • Appearing as an unregistered money services business by executing a large number of clearing transactions between CVCs.

4. Publicly Identified Signs of Ransomware

Other red flags appear constantly, such as (1) changing “IT company activity related to cyber indicators of ransomware or known cyber threat actors” and (2) if a customer’s CVC address or an address a customer transacts with is connected to ransomware variants,9 payments or related activities. FinCEN identifies several sources of information on these emerging indicators, such as Technical Alerts from the Cybersecurity and Infrastructure Security Agency and FinCEN Cybersecurity Indicator Lists, which it encourages financial institutions to monitor. .ten


To help thwart emerging threats and the challenges posed by ransomware, financial institutions need to keep abreast of evolving virtual currency technologies and associated trends and typologies and may need to adjust their AML monitoring programs. to meet their reporting obligations.


1 FinCEN Advisory, FIN-2021-A004, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (8 November 2021), 11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf.

2 Press release, White House, BACKGROUNDER: Ongoing Public US Efforts to Counter Ransomware (October 13, 2021), fact -sheet-ongoing-public-us-efforts-to-counter-ransomware/.

3 Press Release, US Department of Treasury, Treasury continues to fight ransomware as part of whole-of-government effort; Sanctions Ransomware Operators and Virtual Currency Exchange (8 November 2021),

4 Press Release, Department of Justice, Deputy Attorney General Lisa O. Monaco Announces National Anti-Cryptocurrency Team (6 Oct. 2021), /spy-attorney-general-lisa-o-monaco-announces-the-national-cryptocurrency-enforcement-team.

5 According to FinCEN analysis, as of June 2021, bitcoin was the most common ransomware-related payment method. FinCEN has also identified Monero as an increasingly used CVC. FinCEN, Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021 (21 Oct. 2021), 20Analysis_Ransomware%20508%20FINAL.pdf
[hereinafter, FinCEN, Financial Trend Analysis].

6 The advisory also clarifies that entities involved in the direct or indirect facilitation of ransomware payments, for example digital forensic incident response companies (“DFIR”) or cybersecurity liability insurance companies (“CIC “), must also be on their guard against these red flags. In the first half of 2021, DFIR companies submitted the majority (approximately 63%) of ransomware-related Suspicious Activity Reports (“SARs”). FinCEN, Financial Trend Analysis. Similarly, over the same period, CVC exchanges actually filed 19% of ransomware-related SARs, while depository institutions filed 17% of ransomware-related SARs. Identifier.

7 FinCEN, Financial Trend Analysis.

8 A “mixer” or “tumbler” is a service that combines the CVC of various users and then redistributes those funds to a desired CVC address. Mixers cause AML problems because they complicate the tracking of CVC transactions.

9 A ransomware “variant” is a version of ransomware whose name is based on changes made to the software or to indicate which person or entity is the source of the malware. In its most recent analysis, FinCEN identified 68 ransomware variants linked to SAR deposits; the most frequently reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos. FinCEN, Financial Trend Analysis.

10 See, for example, FinCEN Advisory, FIN-2021-A004, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments n.34 (8 November 2021), default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_. pdf.

Originally published by The Banking Law Journal

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

Marianne R. Winn