The growing threat of ransom demands, paid in cryptocurrencies, is becoming a huge compliance headache for financial institutions.
A recently published landmark report, , aims to equip public and private stakeholders such as law enforcement agencies, regulators, virtual asset service providers (VASPs) and financial institutions with the insights needed to tackle financial flows related to ransomware.
The report, released by the Financial Action Task Force (FATF), the international standard setter for anti-money laundering and countering the financing of terrorism (AML/CFT), addresses what has become one of the fastest growing and most disruptive forms of cybercrime in recent years.
Central to the FATF’s plea to fight back against ransomware is to shed light on the illicit financial flows of ransomware gangs and their support networks – financial flows that overwhelmingly occur in crypto-assets. Concurrent regulatory developments increasingly require compliance officers at VASPs and financial institutions to understand how to identify and manage financial crime risks associated with ransomware.
Ransomware & money laundering risk
Cybercriminals use malware to encrypt data on victims’ computers or deny them access to critical systems, and then demand a ransom in return to restore access to the victim. Ransomware has become particularly lucrative in recent years as cybercriminal gangs have identified ways to launch attacks with increasing efficiency and effectiveness.
Using a technique known as Big game hunting, ransomware gangs are now routinely targeting hospitals, government offices, energy companies and other critical infrastructure to try to generate the largest possible ransom. In recent years, ransom gangs – many of which operate out of Russia, as well as in jurisdictions such as Iran and North Korea – have collected hundreds of millions of dollars annually by extracting large ransoms from their victims. The perpetrators of these attacks have included Russian ransomware organizations such as the DarkSide, Conti and Ryuk gangs, as well as the Lazarus Group, North Korea’s cybercrime outfit.
Crypto-assets have been strongly affected by the growth of ransomware. Almost all ransomware payments are made in Bitcoin, making it possible for attackers to receive payments from victims into private Bitcoin wallets that are not held at regulated institutions.
After receiving payment in Bitcoin from their victims, ransom attackers generally have to convert their money on a crypto exchange or other VASP into fiat currencies, such as Russian rubles, euros, or other currencies. Because the Bitcoin blockchain is highly transparent, the flow of funds from these attacks can be observed as ransomware gangs attempt to launder them through the crypto ecosystem.
This activity can in turn generate red flag indicators of money laundering that compliance officers can detect, some of which FATF details in its reports, and which regulators such as the US Treasury’s Financial Crimes Enforcement Network (FinCEN) have also documented in notices to the private sector.
Some key money laundering red flags and behaviors that are often displayed in ransomware cases include:
-
-
- Funds from ransomware attacks are sent to cryptoasset exchanges with minimal or no AML/CFT controls, or are based in high-risk jurisdictions, such as the Bitzlato exchange, which FinCEN identified as a primary money laundering issue under Section 9714 of the Combatting Russian. The Money Laundering Act.
- identified as a primary money laundering problem
- under section 9714 of the Russian Anti-Money Laundering Act.
- Section 9714
- of the Russian law on money laundering.
- Attackers send their money through crypto-asset mixing services and other obscure technologies that aim to break the funds’ trail on the blockchain.
- mix services
- and other obscure technology that aims to break the foundations’ track on the blockchain.
- Attackers take transparent cryptoassets, such as Bitcoin, that they receive from victims and exchange them for highly anonymous cryptoassets such as Monero.
- Attackers deploy “chain-hopping” typologies of money laundering and attempt to obscure their activity by sending funds through decentralized finance (DeFi) services, such as cross-chain bridges that allow users to seamlessly move funds across Bitcoin, Ethereum, and other blockchains.
- “chain-jumping” typologies of money laundering
- and attempt to obscure their activity by sending funds through decentralized financial services (DeFi), such as cross-chain bridges that allow users to seamlessly move funds across Bitcoin, Ethereum, and other blockchains.
While cryptoasset exchanges and other VASPs are most directly affected by this behavior, banks and other financial institutions must also be aware of the risk of money laundering. After all, once ransomware gangs have exchanged crypto-assets for fiat currencies, they attempt to launder those funds through the banking system. By understanding the key red flags and typologies involved, bank compliance teams can equip themselves to identify ransom-related money laundering.
The challenge of increasing sanctions
In addition to the risk of money laundering, transactions related to ransomware pose increasing risks and challenges for compliance with sanctions. Over the past 18 months, the US Treasury’s Office of Foreign Assets Control (OFAC) has targeted sanctions activity against ransomware attackers and their support networks with asset freezes.
This has often involved including crypto asset addresses belonging to attackers and their support networks on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List). OFAC’s recent actions involving ransomware include:
-
-
- In October 2020, OFAC issued guidance titled , which it subsequently updated in September 2021. The guidance explains that making or facilitating ransom payments may result in sanctions violations if those payments benefit a sanctioned person or jurisdiction.
- Potential sanction risks for facilitating ransomware payments
- as subsequently updated in September 2021. The guidance explains that making or facilitating ransom payments may result in sanctions violations if those payments benefit a sanctioned person or jurisdiction.
- Between September 2021 and April 2022, OFAC sanctioned three cryptoasset exchanges registered in Eastern Europe – SUEX, Chatex and Garantex – accused of laundering cryptoassets on behalf of ransom gangs.
- SUEX
- Chatex and Garantex – that they accused of laundering crypto assets on behalf of ransom gangs.
- Chatex
- and Garantex – that they accused of laundering crypto-assets on behalf of ransom gangs.
- Garantex
- — that it accused of laundering crypto assets on behalf of ransom gangs.
- In April 2022, OFAC also sanctioned the Hydra darknet marketplace, which had facilitated the activity of gangs and their affiliates before it was taken down by German law enforcement.
- Hydra darknet marketplace
- which had facilitated the activities of ransom gangs and their affiliates before being taken down by German law enforcement.
- it was taken down
- of German law enforcement.
- In February 2023, OFAC conducted a coordinated joint operation with the UK’s Office of Financial Sanctions Implementation (OFSI) to target gangs for ransom. OFAC and OFSI both sanctioned seven Russian nationals allegedly linked to the Conti and Ryuk ransomware campaigns.
- a coordinated, joint action
- together with the UK’s Office of Financial Sanctions Implementation (OFSI) to target gangs for ransom. OFAC and OFSI both sanctioned seven Russian nationals allegedly linked to the Conti and Ryuk ransomware campaigns.
As a result of these actions, VASPs and financial institutions must ensure that they do not facilitate prohibited payments with ransom gangs and those who support them that are subject to sanctions.
Respond to risks
It is possible to combat ransomware while complying with regulatory requirements, although there are challenges. Compliance teams at VASPs and financial institutions can take steps to ensure that they manage the related risks effectively.
First, compliance teams should be trained in the typologies and red flags associated with ransomware so that they have the knowledge needed to detect potential money laundering or sanctions evasion. Second, compliance teams should familiarize themselves with regulatory requirements and alerts related to ransomware – particularly OFAC sanctions – and ensure their policies and procedures reflect these developments.
Finally, compliance teams at VASPs and financial institutions should use blockchain analytics solutions to detect red flags and other indicators of transactional risks associated with ransomware. This should include the use of blockchain analytics solutions capable of identifying cross-chain money flows that indicate chain-hopping typologies of money laundering that ransomware attackers are increasingly using.
As a rapidly evolving form of cybercrime, ransomware activity poses significant compliance challenges; However, by following the steps above, compliance teams can work to successfully manage the risks.
Opinions expressed are those of the author. They do not reflect the views of Reuters News, which is committed under the fiduciary principles to integrity, independence and freedom from bias. The Thomson Reuters Institute is owned by Thomson Reuters and operates independently of Reuters News.
David Carlisle
David Carlisle is vice president of policy and regulatory affairs at Elliptic. Prior to joining, David worked for the US Treasury Department, including in the Office of Foreign Assets Control (OFAC), where he was involved in the design and implementation of US financial and economic sanctions programs involving countries such as Myanmar and Iran. In subsequent roles, David worked in the Treasury’s Office of Terrorist Financing and Financial Crimes advising senior Treasury officials on a wide range of topics related to sanctions, money laundering and terrorist financing. He also acted as a liaison to the Treasury when engaging governments in the Asia-Pacific region on financial crime issues.
