On Thursday, two bureaus within the U.S. Department of the Treasury– the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN)– issued advisories related to facilitating ransomware payments.
OFAC’s advisory focuses on the potential sanctions risks associated with ransomware payments, while FinCEN’s advisory highlights that the facilitation of ransomware payments may trigger FinCEN registration and Bank Secrecy Act (BSA) requirements and discusses financial red flag indicators of ransomware and associated payments.
Neither of these advisories includes major changes to the U.S. government’s guidance; regulators and law enforcement have consistently stated that paying ransoms only encourages bad actors to make future ransomware payment demands. But they do make it clear that ransomware victims and those who facilitate payments on behalf of victims can be found in violation of sanctions violations and/or the BSA.
These advisories are issued at a time when ransomware attacks are becoming more “focused, sophisticated, costly, and numerous.” Chainalysis data suggests payments to ransomware entities increased more than 360% between January and September 2020 and the same period last year.
Ransomware victims, third party companies that facilitate ransomware payments such as digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs), cryptocurrency exchanges, and financial institutions should take a risk-based approach to managing responses to ransomware on behalf of themselves and their customers.
In this blog, I break down the key takeaways from the two advisories and point out where blockchain analysis can help mitigate risk.
OFAC Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments
OFAC has designated many malicious cyber actors, including perpetrators of ransomware attacks and those who facilitate ransomware transactions. As such, a cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus. OFAC makes several important clarifications:
- Facilitating ransomware payments on behalf of a victim may violate OFAC regulations.
Third party ransomware facilitators and cryptocurrency exchanges could be in violation of sanctions if they facilitate a payment to a sanctioned actor.
For example, Garmin reportedly used a third party to pay the WastedLocker ransomware demand rather than paying it directly. In this case, WastedLocker ransomware is believed to have been perpetrated by Evil Corp, a designated entity. Blockchain analysis can help victims and those working on behalf of victims identify wallets associated with specific ransomware variants and designated actors.
OFAC originally sanctioned Evil Corp for its development and distribution of the Dridex strain, which was largely active in late 2015 and early 2016. This is also a good example of the importance of understanding the various strains that designated entities run over time. Not only is it important to keep up with known variants that were operated in the past by an entity on the Specially Designated Nationals (SDN), list but also to keep up with any new ones they begin to operate. One of the best ways to understand this is by using blockchain analysis to investigate where payments intersect.
- Those covered by comprehensive country or region embargoes are also applicable.
OFAC’s advisory not only covers entities on their SDN list, but also comprehensive country or region embargoes (e.g. Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). It is difficult to determine where entities are located based on their cryptocurrency wallets or addresses. However, if they are deposit addresses or interact with deposit addresses at an exchange, that exchange’s jurisdictional information is visible. Blockchain analytics is imperative for this research.
- Licensing applications involving ransomware payments will be reviewed by OFAC on a case by case basis with a presumption of DENIAL.
This essentially means that if a designated entity is identified as the perpetrator, a firm will probably not be able to receive a license to make a ransomware payment.
- OFAC will consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement.
This would be a significant mitigating factor in determining the enforcement outcome if there is a sanctions nexus.
FinCEN Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments
FinCEN’s advisory provides important information on the role of financial intermediaries in the processing of ransomware payments and ransomware-related red flag indicators. Here are three important takeaways:
- Third party ransomware facilitators like DFIR companies and CICs might be engaged in MSB activities.
This would trigger FinCEN registration and BSA requirements, including filing Suspicious Activity Reports (SARs). It is likely this would be triggered by every payment they process.
There are some variations to DFIR companies and CICs. First, they don’t necessarily pay directly. Some walk their client through the process or connect them with someone who pays. Some pay and register as an MSB and file SARs.
- FinCEN considers a link between a customer’s cryptocurrency wallet and ransomware activity to be a red flag indicator.
FinCEN identified several financial red flag indicators of ransomware-related illicit activity to assist financial institutions in detecting, preventing, and reporting suspicious transactions associated with ransomware attacks. Many of these red flags and typologies are associated with convertible virtual currency (CVC, or cryptocurrency) activity.
In particular, red flag #3 is “a customer’s CVC address, or an address with which a customer conducts transactions, appears on open sources, or commercial or government analyses have linked those addresses to ransomware strains, payments, or related activity.” Blockchain analysis is required to identify this in most circumstances.
- It still isn’t clear if it’s illegal to pay ransom if the entity is not sanctioned.
But operating as a money transmitter/MSB and not registering and filing SARs violates the BSA.
The OFAC and FinCEN advisories clarify two important regulatory grey areas: (1) there are potential sanctions issues associated, and licenses probably will not be granted (2) Many of these firms will need to register with FinCEN and file SARs.
In the event you’re attacked, or working with a customer who was attacked, you should collect as much evidence as possible, such as screenshots of ransom messages you receive, and send it to the appropriate government agencies so they can learn what strain of ransomware you’ve been hit with and start formulating a response. Because effort is measured in relation to possible violations, you should work directly with law enforcement, OFAC, and FinCEN.
Chainalysis KYT customers should set alerts to be notified if their users receive or send ransomware payments and report them to their regulators and law enforcement when applicable. For more information on how to set KYT alerts, see our Knowledge Base here.
You can also report attacks to Chainalysis directly using our ransomware reporting form. The details you provide can help us collect more data on your attackers and work with law enforcement to stop them.