FinCEN Issues Amended Advisory on Ransomware and Use of Financial System to Facilitate Ransom Payments

On November 8, 2021, the United States Treasury’s Financial Crimes Enforcement Network (FinCEN) released an updated advisory on ransomware and the use of financial systems to pay ransoms, replacing its earlier October 1, 2020 advisory.  

The update, which is a direct result of the increase in ransomware attacks on the United States’ infrastructure in 2021, include identifying new trends in ransomware and their associated payments. Between January 1, 2021 and June 30, 2021, FinCEN reported 635 ransomware suspicious activity reports (SAR), a 30% increase from the whole calendar year of 2020.The 2021 attacks during H1 2021 cost U.S. businesses an estimated $590 million, again already more than the entirety of 2020.

Common Targets

Because of the nature of financial institutions’ data (personal and financial client information, trading models, business strategies, and all assets under management), they are prime targets for cybercriminals. Financial service firms are 300% more likely to suffer a cyberattack than other organizations in other sectors.  

Aside from financial services, other commonly affected industries are manufacturing/food production, energy, legal services, insurance, education, and health care. For firms who invest in these industries, this adds a secondary opportunity to lose data, money, and repute. 

Emerging Ransomware Trends 

In the October 1, 2020 advisory, FinCEN outlined five ransomware trends financial institutions should watch out for, such as extortion schemes, use of Anonymity-Enhanced Cryptocurrencies (AECs), ransomware criminals forming partnerships and sharing resources, use of “fileless” ransomware”, and “big game” hunting schemes. For more the most updated information on the previously observed trends, please reference pages 4-6 in the updated advisory. 

In addition to the original advisory’s list of ransomware trends, FinCEN updated their catalogue of common ransomware tactics to include two new methods to protect their illegal gains, both of which relate to Convertible Virtual Currency (CVC):

1. Unregistered CVC Mixing Services – Cybercriminals use mixers to “break” any connection between the sender and receiver of the CVC ransom payment. A mixer combines CVC of other users and chunks the transaction into smaller pieces that pass through several different intermediary accounts. This CVC is then traded to other sources for different CVC of equal value. 
2. Cashing Out Through Foreign CVC Exchanges – Cybercriminals use CVC exchanges with lax compliance controls or operations in jurisdictions with minimal regulatory oversight. CVC is then converted to legal tender or fiat currency to incorporate back into the economy.

Regulatory Responsibilities 

Not only are financial institutions at risk of falling victim to ransomware, but they also have regulatory obligations related to reporting suspicious activity to protect the U.S. financial system. Though these regulatory responsibilities do not change in the advisory update, they are important to highlight given the increased likelihood of responding to attacks. 

Bank Secrecy Act (BSA) 

Under the BSA requirements, financial institutions must determine if filing a SAR is required in the wake of a ransomware attack. Reportable activities can involve transactions (such as payments made my financial institutions) related to criminal activities like extortion or unauthorized electronic intrusions.  

A SAR must be filed if a transaction: 

• Totaling $5,000 (or $2,000 for Money Services Businesses) or more is known or suspected by a financial institution to involve funds originating from illicit activity. 
• Disguises funds from illicit activity. 
• Evades BSA regulations. 
• Lacks a business or apparent business purpose. 
• Involves the use of a financial institution to enable illicit activity. 

Filing SARs 

Reports are required to contain complete and accurate information, including cyber-related information. In all cases where a SAR is required, a copy of it with any accompanying business records or documentation must be kept for five years from the filing date in order to comply with requests from law enforcement or other supervisory agencies.  

To file a SAR, contact FinCEN’s Financial Institution Hotline at 1-866-556-3974 and subsequently file a SAR using FinCEN’s BSA E-filing System containing all relevant information available at that time. Reference page 10 of the updated advisory for more information. 

If filing a SAR is not required, an institution can voluntarily file to aid law enforcement’s investigations.  

Information Sharing 

Under section 314(b) of the USA PATRIOT Act, financial institutions can share information relating to transactions suspected to involve the proceeds of one or more specified unlawful activities (SUAs). FinCEN urges financial institutions to share information via section 314(b) where it is suspected that a transaction may involve terrorist financing or money laundering, including one or more SUAs. A list of SUAs is found in 18 U.S.C. §§ 1956 and 1957.

Red Flags for Financial Institutions 

In the October 1, 2020 advisory, FinCEN outlined 10 red flags for which financial institutions should watch. For more the most updated version of the original red flags, please reference flags 1 – 10 on pages 8-9 in the updated advisory. 

Two new red flags were included in the updated advisory:  

1. Financial institutions should monitor for customers initiating a transfer of funds involving a mixing service. 
2. Financial institutions should monitor for customers using an encrypted network to obfuscate the CVC transaction and any accompanying communications.  

Adding these to the radar can aid in detection and prevention of ransomware attacks. For additional prevention approaches, visit the Department of Justice and Department of Homeland Security’s joint website on ransomware risk mitigation here. 
 

ACA Guidance 

In the event of a ransomware incident, before providing or facilitating a ransom payment, ACA Aponix^®  highlights FinCEN’s recommendation that all parties understand the Office of Foreign Assets Control (OFAC)’s warnings regarding payment. While paying the ransom can appear as the path of least resistance to gain back control of your data, there is no guarantee the cybercriminals will follow through on their promises. Regardless of follow-through, these ransom payments enable nefarious activities and incentivize additional attacks. Moreover, facilitating payments to embargoed or sanctioned regions or persons can violate OFAC regulations, resulting in civil liabilities.

Additional Guidance

ACA is producing a series breaking down the complexities of ransomware attacks and how to best prepare. In part one, ACA discusses the essence of the threat, how it evolved, and the most recent developments. In part two, ACA dives deeper into how to prevent and detect ransomware attacks. Recommendations include: 

1. Patching vulnerabilities regularly 
2. Reducing the impact of phishing/malware attacks 
3. Securing your networks 
4. Protecting your backups 
5. Restricting access rights 
6. Knowing what to do in case of an attack 

An in-depth checklist is available for download here. 

How Aponix can help

ACA Aponix offers the following solutions that can help your organization prevent, prepare for, and respond to ransomware attacks:

• Risk Assessments and Regulatory Compliance Testing Services 
• Intelligence, Phishing Testing, and Monitoring 
• Payment and Fraud Risk Assessment Services 
• ACA Aponix's (PortCo Defend™) 
• Operational Resilience and Governance

If you have any questions, please contact your ACA Aponix consultant or contact us here.