Ransomware & crypto: The growing compliance challenge

A recently published landmark report, Countering Ransomware Financing, aims to equip public and private stakeholders, such as law enforcement agencies, regulators, virtual asset service providers (VASPs), and financial institutions with insights needed to tackle financial flows related to ransomware.

The report, published by the Financial Action Task Force (FATF), the international standard-setter for anti-money laundering and countering the financing of terrorism (AML/CFT), addresses what has become one of the fastest growing and most disruptive forms of cybercrime in recent years.

Central to the FATF’s plea for fighting back against ransomware is shedding light on the illicit financial flows of ransomware gangs and their support networks — financial flows that overwhelmingly occur in crypto-assets. Concurrent regulatory developments increasingly demand that compliance officers at VASPs and financial institutions understand how to identify and manage financial crime risks related to ransomware.

Ransomware & money laundering risks

Cybercriminals use malware to encrypt data on victims’ computers or deny them access to critical systems, and then demand a ransom payment in return for restoring access to the victim. Ransomware has become especially lucrative in recent years as cybercriminal gangs have identified ways to launch attacks with increasing effectiveness and efficiency.

Employing a technique known as Big Game Hunting, ransomware gangs now routinely direct attacks at hospitals, government offices, energy firms, and other critical infrastructure to try and generate the biggest possible ransoms. In recent years, ransomware gangs — many of which operate from Russia, as well as in jurisdictions such as Iran and North Korea — have raised hundreds of millions of dollars annually by extracting large ransoms from their victims. Perpetrators of these attacks have included Russian ransomware organizations such as the DarkSide, Conti, and Ryuk gangs, as well as the Lazarus Group, North Korea’s cybercrime outfit.

Crypto-assets have featured heavily in the growth of ransomware. Nearly all ransomware payments are made in Bitcoin, which enables attackers to receive payments from victims into private Bitcoin wallets that are not held at regulated institutions.

After receiving payment in Bitcoin from their victims, ransomware attackers generally need to convert their funds at a crypto-exchange or other VASP into fiat currencies, such as Russian rubles, euros, or other currencies. Because the Bitcoin blockchain is highly transparent, the flow of funds from these attacks can be observed as ransomware gangs attempt to launder them through the crypto-ecosystem.

This activity can in turn generate red flag indicators of money laundering that compliance officers can detect, some of which the FATF details in its reports, and that regulators such as the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) have also documented in notices to the private sector.

Some important money laundering red flags and behaviors that often feature in cases of ransomware include:

• • • Funds from ransomware attacks are sent to crypto-asset exchanges with minimal or no AML/CFT controls, or are based in high-risk jurisdictions, such as the Bitzlato exchange, which FinCEN identified as a primary money laundering concernunder Section 9714 of the Combatting Russian Money Laundering Act.
    • Attackers send their funds through crypto-asset mixing services and other obfuscating technology aimed at breaking the funds’ trail on the blockchain.
    • Attackers take transparent crypto-assets, such as Bitcoin, that they receive from their victims and swap them for highly anonymous crypto-assets such as Monero.
    • Attackers deploy “chain-hopping” typologies of money laundering and attempt to obfuscate their activity by sending funds through decentralized finance (DeFi) services, such as cross-chain bridges that allow users to seamlessly move funds across the Bitcoin, Ethereum, and other blockchains.

While crypto-asset exchanges and other VASPs are most directly affected by this behavior, banks and other financial institutions must be alert to the money laundering risks too. After all, once ransomware gangs have swapped crypto-assets for fiat currencies, they then attempt to launder those funds through the banking system. By understanding the important red flags and typologies involved, bank compliance teams can equip themselves to identify ransomware-related money laundering.

Growing sanctions challenge

In addition to money laundering risks, transactions related to ransomware pose growing sanctions compliance risks and challenges. Over the past 18 months, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) has targeted sanctions activity at ransomware attackers and their support networks with asset freezes.

This has often involved including crypto-asset addresses belonging to attackers and their support networks on the OFAC Specially Designated Nationals and Blocked Persons List (SDN List). OFAC’s recent actions involving ransomware include:

• • • In October 2020, OFAC issued guidanceentitled Potential Sanctions Risks for Facilitating Ransomware Payments, which it later updated in September 2021. The guidance explains that making or facilitating ransomware payments can result in a sanctions violation if those payments benefit a sanctioned person or jurisdiction.
    • Between September 2021 and April 2022, OFAC sanctioned three crypto-asset exchanges registered in Eastern Europe — SUEX, Chatex, and Garantex— that it accused of laundering crypto-assets on behalf of ransomware gangs.
    • In April 2022, OFAC also sanctioned the Hydra darknet marketplace, which had facilitated activity of ransomware gangs and their affiliates before it was taken down by German law enforcement.
    • In February 2023, OFAC undertook a coordinated, joint actionalongside the U.K.’s Office of Financial Sanctions Implementation (OFSI) to target ransomware gangs. OFAC and the OFSI both sanctioned seven Russian nationals allegedly associated with the Conti and Ryuk ransomware campaigns.

As a result of these actions, VASPs and financial institutions must ensure that they do not facilitate prohibited payments with ransomware gangs and those supporting them who are subject to sanctions.

Responding to risks

Successfully combating ransomware while adhering to regulatory requirements is possible, though challenges exist. Compliance teams at VASPs and financial institutions can take steps to ensure that they address the related risks effectively.

First, compliance teams should receive training on typologies and red flags related to ransomware so that they have the knowledge needed to detect potential money laundering or sanctions-evasion activity. Secondly, compliance teams should familiarize themselves with evolving regulatory requirements and notices related to ransomware — particularly OFAC sanctions requirements — and should ensure their policies and procedures reflect these developments.

Finally, compliance teams at VASPs and financial institutions should use blockchain analytics solutions to detect red flags and other indicators of crypto-asset transactional risks related to ransomware. This should include using blockchain analytics solutions capable of identifying cross-chain funds flows indicative of chain-hopping typologies of money laundering that ransomware attackers increasingly use.

As a rapidly evolving form of cybercrime, ransomware activity poses significant compliance challenges; however, by taking the steps above, compliance teams can work to manage the risks successfully.