Updated ransomware advisory uses fresh FinCEN report info, gives ‘red flag’ indicators

The growing use of anonymity-enhanced cryptocurrencies (AECs) used in ransomware schemes and the ways that perpetrators launder ransomware proceeds are among the findings detailed in an updated advisory issued Monday by Treasury’s financial crimes enforcement unit.

The updated advisory from the Financial Crimes Enforcement Network (FinCEN) reflects information from the agency’s Oct. 15 Financial Trend Analysis Report. Part of Treasury’s broader efforts to combat ransomware, the FinCEN “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” addresses the role of financial intermediaries in ransomware schemes, trends and typologies of ransomware and associated payments, recent examples of ransomware attacks, and financial “red flag” indicators of such activity.

Noted “trends and typologies” include extortion schemes; the proliferating use of anonymity-enhanced cryptocurrencies (AECs); use of unregistered convertible virtual currency (CVC) “mixing” services (mixing is a mechanism used to launder ransomware proceeds, FinCEN notes); cashing out through foreign CVC exchanges; collaboration and partnerships among  ransomware criminals; and more.

A description of 12 financial red-flag indicators of ransomware-related illicit activity is included to assist financial institutions in detecting, preventing, and reporting suspicious transactions associated with ransomware attacks. “As no single financial red flag indicator is indicative of illicit or suspicious activity, financial institutions should consider the relevant facts and circumstances of each transaction, in keeping with their risk-based approach to compliance,” FinCEN said.

Those red flag indicators include:

  • A financial institution or its customer detects IT enterprise activity that is connected to ransomware cyber indicators or known cyber threat actors. Malicious cyber activity may be evident in system log files, network traffic, or file information.
  • When opening a new account or during other interactions with the financial institution, a customer provides information that a payment is in response to a ransomware incident.
  • A customer’s CVC address, or an address with which a customer conducts transactions is connected to ransomware variants,35 payments, or related activity. These connections may appear in open sources or commercial or government analyses.
  • An irregular transaction occurs between an organization, especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare) and a digital forensic and incident response (DFIR) company or cyber insurance company (CIC), especially one known to facilitate ransomware payments.
  • A DFIR or CIC customer receives funds from a counterparty and shortly after receipt of funds sends equivalent amounts to a CVC exchange.
  • A customer shows limited knowledge of CVC during onboarding or via other interactions with the financial institution, yet inquires about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware.
  • A customer that has no or limited history of CVC transactions sends a large CVC transaction, particularly when outside a company’s normal business practices.
  • A customer that has not identified itself to the CVC exchanger, or registered with FinCEN as a money transmitter, appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered money services business (MSB).
  • A customer uses a foreign-located CVC exchanger in a high-risk jurisdiction lacking, or known to have inadequate, anti-money laundering/countering financing of terrorism (AML/CFT) regulations for CVC entities.
  • A customer receives CVC from an external wallet, and immediately initiates multiple, rapid trades among multiple CVCs, especially AECs, with no apparent related purpose, followed by a transaction off the platform. This may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.
  • A customer initiates a transfer of funds involving a mixing service.
  • A customer uses an encrypted network (e.g., the onion router) or an unidentified web portal to communicate with the recipient of the CVC transaction.

Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” (FIN-2021-A004)