The United States Treasury Department’s Financial Crimes Enforcement Network (FinCEN) will hold a second FinCEN Exchange in August to discuss ways to combat increasingly sophisticated cyber and ransomware attacks. The FinCEN Exchange is a voluntary public and private partnership that convenes stakeholders, law enforcement and financial institutions (FIs.)
As part of their Compliance functions, financial institutions must have a plan in place to combat ransomware demands. Cybersecurity insurance and the selection of appropriate and experienced Corporate Governance Experts also are critical to ensuring FI’s ability to navigate through cybersecurity threats.
“As the past few months have demonstrated, the surge in ransomware attacks threatens our critical infrastructure, municipalities and the most vulnerable among us and is increasingly impacting the lives of the American people,” said FinCEN’s Acting Director Michael Mosier.
Potential Sanctions for Financial Institutions
FinCEN issued an advisory in Oct. 2020 to inform financial institutions of their critical role in recognizing indicators of ransomware and money laundering activities. The FinCEN Advisory also cited an Advisory from the Office of Foreign Asset Control (OFAC) outlining potential sanctions of financial institutions (FIs) that facilitate ransomware payments.
in addition, in June 2021, FinCEN issued the first government priorities for anti-money laundering and countering the financing of terrorism.
Financial Institutions’ Bank Secrecy Act (BSA) obligations
Financial institutions need to evaluate their internal policy for filing Suspicious Activity Reports (SARs) in cybersecurity incidents. Institutions may file a SAR voluntarily to aid law enforcement with protecting the financial sector.
Valuable indicators for law enforcement investigations of ransomware can include
- “relevant email addresses,
- Internet Protocol (IP) addresses with their respective timestamps,
- login information with location and timestamps,
- virtual currency wallet addresses,
- mobile device information (such as device International Mobile Equipment Identity (IMEI) numbers),
- malware hashes,
- malicious domains,
- descriptions and timing of suspicious electronic communications.”
How financial institutions become intermediaries
The FinCEN 2020 Advisory illustrated the crucial role of how financial institutions become intermediaries in ransomware attacks, including:
● Processing ransomware payments is a multi-step process that involves at least one depository institution and one or more money services businesses (MSB).
● Many ransomware schemes involve convertible virtual currency (CVC), which is the preferred payment method of ransomware perpetrators.
● To satisfy the ransom demand, a victim will typically transmit funds via wire transfer, automated clearinghouse, or credit card payment to digital currency exchange. This will allow them to purchase the type and amount of CVC specified by the ransomware criminal
● The victim will often send the CVC from a wallet hosted at the exchange, to the cybercriminal’s designated account or CVC address.
● Criminals launder funds through means including:
- mixers and tumblers to convert funds into other CVCs,
- smurfing transactions across many accounts and exchanges,
- moving the CVC to foreign-located exchanges and peer-to-peer (P2P) exchangers in jurisdictions with weak anti-money laundering
- countering financing of terrorism (AML/CFT) controls.
Ransomware operations are increasingly sophisticated
- Big Game Hunting Schemes target larger enterprises to demand bigger payouts.
- Ransomware Groups Form Partnerships and Share Resources: cybercriminals have begun sharing resources to enhance the effectiveness of ransomware attacks. They use Ransomware exploit kits that come with ready-made malicious codes and tools. These kits are offered free or sold to share advice, code, trends, techniques, and illegally obtained information over shared platforms.
- Double Extortion Schemes: criminals remove sensitive data from the targeted networks, encrypt the system files and demand ransom. Then they threaten to publish or sell the stolen data if the victim fails to pay the ransom.
- Use of anonymous Cryptocurrency: cybercriminals demand that ransomware payments be made in Convertible Virtual Currency (CVC) such as Bitcoin.
- Use of “Fileless” Ransomware: malicious code that is much harder to detect is written into the computer’s memory rather than into a file on a hard drive. This allows attackers to circumvent off-the-shelf antivirus and malware defenses.
The Department of Justice and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of a new educational website focused on ransomware. It’s called StopRansomware.gov, and it contains tools and resources for organizations of all sizes.
Who is your Financial Institution’s Corporate Governance Expert? ©