Wipfli logo

Manpower (DMark Group, Inc.)


A FinCEN update on ransomware attacks

Jan 27, 2022

The severity and sophistication of ransomware attacks continue to rise across various sectors — particularly governmental entities and financial, educational and healthcare institutions. Weak cybersecurity controls, inadequate system backups and ineffective incident response capabilities make these institutions highly vulnerable.

Ransomware has played a role in a variety of significant breaches over the past year, including one that led to widespread gasoline shortages because of the cyberattack on the Colonial pipeline.

The FBI defines ransomware as a type of malicious software designed to block access to a computer system until a sum of money is paid. A person can unknowingly download ransomware onto a computer by opening an email attachment, clicking an ad, following a link or even visiting a website that's embedded with malware.

In May 2021, a cybercriminal group perpetrated the attack that disrupted Colonial Pipeline, the largest U.S. pipeline for refined oil products. The FBI subsequently attributed the attack to a Russian-speaking group known as DarkSide, which developed ransomware for a criminal organization that then perpetrated the attack.

This other criminal organization transferred a portion of the ransom proceeds to DarkSide as payment for the development of the ransomware. Unlike other ransomware results, the FBI successfully seized criminal proceeds from a bitcoin wallet that DarkSide ransomware actors used to collect a ransom payment from the victim.

On a smaller scale, the Illinois Attorney General’s Office experienced a ransomware breach in April 2021 that crippled the agency and potentially exposed gigabytes of personal and confidential records. While no ransom was paid to the Russian-based cybercriminals, the agency has spent at least $2.5 million to manage the crisis.

The methods employed by perpetrators are getting more sophisticated as the potential risks and financial losses skyrocket. The most recent advisory update (FIN-2021-A004) by the Financial Crimes Enforcement Network (FinCEN) issued on November 8, 2021, identified new trends and types of ransomware and associated payments. It served as an update to its October 1, 2020, advisory Ransomware and the Use of the Financial System to Facilitate Ransom Payments (FIN-2020-A006).

Risks for the financial sector

  • Ransomware attacks are a growing concern for the financial sector because of the critical role financial institutions play in the collection of ransom payments. Processing ransomware payments is typically a multi-step process that involves at least one depository institution and one or more entities directly or indirectly facilitating victim payments, including money services businesses (MSBs).
  • Most ransomware schemes involve the preferred method of payment: convertible virtual currency (CVC) such as bitcoin.
  • Following the delivery of the ransom demand, a ransomware victim will typically transmit funds via wire transfer, automated clearing house (ACH) or credit card payment to a CVC exchange to purchase the type and amount of CVC specified by the ransomware perpetrator.
  • Next, the victim or an entity working on the victim’s behalf sends the CVC, often from a wallet hosted at the exchange, to the perpetrator’s designated account or CVC address. The perpetrator then launders the funds through various means — including mixers, tumblers and chain hopping — to convert funds into other CVCs. Mixing or tumbling involves the use of mechanisms to break the connection between an address sending CVC and an address receiving CVC. Chain hopping is a cross-virtual-asset-layering technique for users to conceal criminal behavior.

These transactions may be structured into smaller transactions involving multiple people and across many different CVC addresses, accounts and exchanges, including peer-to-peer (P2P) exchanges. Criminals prefer to launder their ransomware proceeds in jurisdictions with weak anti-money laundering and countering the financing of terrorism (AML/CFT) controls.

Affected entities may utilize the services of a digital forensic and incident response (DFIR) company to facilitate the payment of the ransom. DFIRs may act as an intermediary and directly receive the victim’s ransom payment via wire or ACH, exchange the funds for CVC and transfer the CVC to the criminal-controlled account.

Depending on the particular facts and circumstances, this activity could constitute money transmission. Entities engaged in MSB activities (such as money transmission) are required to register as an MSB with FinCEN and are therefore subject to BSA obligations, including filing of suspicious activity reports (SAR). Persons involved in ransomware payments must also be aware of any Office of Foreign Assets Control (OFAC)-related obligations that may arise from that activity.

DFIR advisory

Persons involved in ransomware payments must also be aware of any Office of Foreign Assets Control (OFAC)-related obligations that may arise from that activity. On September 21, 2021, OFAC issued an updated advisory highlighting the sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by malicious cyber-enabled activities.

DFIRs are seeking out financial institutions to conduct these payment transactions. DFIRs may be identified as part of the due diligence collected at time of account opening or through transaction monitoring. Financial institutions should be on the lookout for unregistered DFIRs.

The advisory issued the following red flags to assist financial institutions in detecting, preventing and reporting suspicious transactions, along with identifying potential DFIRs or victims of ransomware:

  • A financial institution or its customer detects IT enterprise activity that is connected to ransomware cyber indicators or known cyber threat actors. Malicious cyber activity may be evident in system log files, network traffic or file information.
  • When opening a new account or during other interactions with the financial institution, a customer provides information that a payment is in response to a ransomware incident.
  • A DFIR or CIC customer receives funds from a counterparty and, shortly after receipt of funds, sends equivalent amounts to a CVC exchange.
  • A customer shows limited knowledge of CVC during onboarding or via other interactions with the financial institution yet inquires about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware.
  • A customer that has limited history of CVC transactions sends a large CVC transaction, particularly when outside a company’s normal business practices.
  • A customer that has not identified itself to the CVC exchanger or registered with FinCEN as a money transmitter appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB.
  • A customer uses a foreign-located CVC exchanger in a high-risk jurisdiction lacking or known to have inadequate AML/CFT regulations for CVC entities.

The advisory also emphasizes the financial institution’s Suspicious Activity Report (SAR) filing responsibilities when dealing with an incident of ransomware conducted by, at or through the financial institution, including ransom payments made by financial institutions that are victims of ransomware attacks.

Reportable activity can involve transactions, including payments made by financial institutions, and can include criminal activity like extortion and unauthorized electronic intrusions that damage or disable critical systems.

SAR obligations apply to both attempted and successful transactions, including both attempted and

successful initiated extortion transactions. The advisory also provides SAR completion guidelines which that will inform FinCEN of this crime typology, including the use of the keyword CYBER-FIN-2021-A004 in applicable areas.

How Wipfli can help

Detecting and reporting ransomware payments are vital to holding ransomware attackers accountable for their crimes and preventing the laundering of ransomware proceeds. Wipfli is a trusted partner to assist your financial institution in identifying and preventing potential ransomware attacks. Contact us for help.

Related content:


Robin Guthridge, CAMS, CRCM
Director, Compliance
View Profile