Facilitating payments for victims of ransomware attacks may violate U.S. sanctions, according to the U.S. Treasury Department, which issued two advisories on October 1 to highlight the anti-money laundering regulatory risk and sanctions risk associated with these criminal schemes.
Treasury’s sanctions enforcer, the Office of Foreign Assets Control (OFAC), and its anti-money laundering unit, the Financial Crimes Enforcement Network (FinCEN), each issued advisories “to assist U.S. individuals and businesses in efforts to combat ransomware scams and attacks.”
Criminals use ransomware attacks, which rely on malicious software, or malware, to take control of victims’ computer systems, then demand payment to return control of the systems to the victims. “Cybercriminals have deployed ransomware attacks against our schools, hospitals, and businesses of all sizes,” said Deputy Secretary Justin Muzinich. “Treasury will continue to use its powerful tools to counter these malicious cyber-actors and their facilitators.”
OFAC’s advisory outlined the sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by ransomware attacks. “Demand for ransomware payments has increased during the Covid-19 pandemic as cyber-actors target online systems that U.S. persons rely on to continue conducting business,” OFAC’s advisory stated. “Companies that facilitate ransomware payments to cyber-actors on behalf of victims, including financial institutions, cyber-insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
“Treasury will continue to use its powerful tools to counter these malicious cyber-actors and their facilitators.”
Notably, the document added that OFAC may impose civil penalties for sanctions violations based on strict liability, “meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.
“OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments,” the advisory stated, adding that these companies’ sanctions compliance programs “should account for the risk that a ransomware payment may involve an (Specially Designated National) or blocked person, or a comprehensively embargoed jurisdiction.”
Processing ransomware payments
FinCEN’s advisory focused on the role of financial intermediaries in the processing of ransomware payments, trends and typologies of ransomware and associated payments, ransomware-related financial red flag indicators, and reporting and sharing information related to ransomware attacks.
Processing ransomware payments typically involves a multi-step process that involves at least one depository institution and one or more money services business, the document stated, adding that many ransomware schemes involve cryptocurrencies, “the preferred payment method of ransomware perpetrators.”
A ransomware victim will typically transmit funds via wire transfer, automated clearinghouse, or credit card payment to a cryptocurrency exchange to purchase the type and amount of cryptocurrency specified by the ransomware perpetrator, FinCEN said. Next, the victim will send the cryptocurrency from a wallet hosted at the exchange to the perpetrator’s designated account or address.
FinCEN shared ten “financial red flag indicators” of ransomware-related illicit activity “to assist financial institutions in detecting, preventing, and reporting suspicious transactions associated with ransomware attacks.” These red flags include customers who state that payments are in response to a ransomware incident and customers who show limited knowledge of cryptocurrency during onboarding or other interactions with the financial institution yet inquire about purchases, particularly in a large amount or via rush requests.
Financial institutions should determine if filing a suspicious activity report (SAR) “is required or appropriate when dealing with an incident of ransomware conducted by, at, or through the financial institution, including ransom payments made by financial institutions that are victims of ransomware,” FinCEN said, adding that financial institutions are required to file complete and accurate reports “that incorporate all relevant information available, including cyber-related information.”
Information sharing among financial institutions “is critical to identifying, reporting, and preventing evolving ransomware schemes,” the advisory stated.
The advisory added that financial institutions sharing information under the safe harbor provided by Section 314(b) of the USA PATRIOT Act “are reminded that they may share information relating to transactions that the institution suspects may involve the proceeds of one or more specified unlawful activities and such an institution will still remain protected from civil liability under the Section 314(b) safe harbor.”