• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

FinCEN Alerts Financial Institutions on Role in Facilitating Ransomware Attacks

October 2, 2020 By Larry Sommerfeld and Alysa Austin

With an increase in the frequency, sophistication, and cost of ransomware attacks, the Financial Crimes Enforcement Network (FinCEN) issued an advisory on October 1, 2020 alerting financial institutions to ransomware trends and typologies, and related financial red flags, that may result in a regulatory obligation to report and share information related to ransomware attacks.

Based on FinCEN’s analysis of Bank Secrecy Act (BSA) data as well as other sources, the advisory noted the “growing concern” ransomware attacks pose for the financial sector and the “critical role financial institutions play in the collection of ransom payments.” The advisory walks through what FinCEN characterizes as a typical multi-step process when ransoms are paid, which often involves at least one depository institution and at least one money services business (MSB). FinCEN advised companies that facilitate ransomware payments, such as by money transmission, that they may be “required to register as an MSB with FinCEN” and be subject to BSA obligations, “including filing suspicious activity reports (SARs).” The advisory also warns of potential obligations and sanctions risks through any Office of Foreign Assets Control (OFAC)-related obligations that may arise from facilitating ransomware payments. OFAC issued contemporaneously with this FinCEN advisory its own ransomware guidance, which is the subject of a separate blog post.

FinCEN advises financial institutions to report suspicious transactions conducted or attempted by, at, or through the financial institution that derive from potential ransom payments and that involve or aggregate to an applicable monetary threshold. This may include processing ransomware payments of convertible virtual currency (CVC) via wire transfer, automated clearinghouse, or credit card payment.

The advisory walks through some recent sophisticated ransomware techniques, before identifying a list of 10 financial red flag indicators of ransomware activity that financial institutions should consider when determining whether to file a SAR. These flags include:

  • IT enterprise activity is connected to cyber indicators that have been associated with possible ransomware activity or cyber threat actors known to perpetrate ransomware schemes. Malicious cyber activity may be evident in system log files, network traffic, or file information.
  • When opening a new account or during other interactions with the financial institution, a customer provides information that a payment is in response to a ransomware incident.
  • A customer’s CVC address, or an address with which a customer conducts transactions, appears on open sources, or commercial or government analyses have linked those addresses to ransomware strains, payments, or related activity.
  • A transaction occurs between an organization, especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare), and a digital forensics and incident response (DFIR) company or cyber insurance company (CIC), especially one known to facilitate ransomware payments.
  • A DFIR or CIC customer receives funds from a customer company and shortly after receipt of funds sends equivalent amounts to a CVC exchange.
  • A customer shows limited knowledge of CVC during onboarding or via other interactions with the financial institution, yet inquires about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware.
  • A DFIR, CIC, or other company that has no or limited history of CVC transactions sends a large CVC transaction, particularly if outside a company’s normal business practices.
  • A customer that has not identified itself to the CVC exchanger, or registered with FinCEN as a money transmitter, appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB.
  • A customer uses a CVC exchanger or foreign-located MSB in a high-risk jurisdiction lacking, or known to have inadequate, anti-money laundering and countering financing of terrorism (AML/CFT) regulations for CVC entities.
  • A customer initiates multiple rapid trades between multiple CVCs, especially anonymity-enhanced cryptocurrencies (AECs), with no apparent related purpose, which may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.

The advisory also provides guidance on effectively reporting and sharing information related to ransomware attacks.  When considering what information to include in SARs relating to ransomware, the advisory focuses on technical indicators such as email addresses, IP addresses, account information, location and timestamps, virtual currency wallet addresses, mobile device information, malware hashes, malicious domains, as well as narrative descriptions of suspicious electronic communications. And pursuant to Section 314 of the USA PATRIOT Act, banks are statutorily protected from civil liability when voluntarily sharing information for the purpose of identifying or reporting terrorist financing or money laundering.

Filed Under: Advisories, Cyber Risk, Cybercrime, Cybersecurity, Data Protection, Data Security, Digital Crimes, Enforcement, Financial Privacy, Privacy Tagged With: ransomware

About Larry Sommerfeld

Lawrence (Larry) Sommerfeld is a partner on Alston & Bird’s Privacy & Data Security and Cybersecurity Preparedness & Response teams. As an assistant U.S. attorney, he led the Computer Crime and Intellectual Property Unit and investigated and prosecuted the leaders of one of the most sophisticated and coordinated cyber intrusions ever perpetrated. Larry was invited to join the Department of Justice’s Computer Hacking and Intellectual Property Working Group, where he advised the DOJ on developing technology and intellectual property issues, and potential legislation.

[Read Bio]

About Alysa Austin

Alysa Austin is an associate with the Privacy & Data Security Team and advises clients on cybersecurity compliance, breach investigations and response, online procedures and policies, and vendor contracts.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Eleventh Circuit Holds Risk of Future Harm Does Not Establish Article III Standing
  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
  • Virginia Ready to Pass First State Privacy Statute after CCPA
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.