State of Financial Crime 2023 Report

COVID-19, Ransomware and Unexpected Financial Attacks

Financial Crime Knowledge & Training

Financial crime attacks have been on the rise for the past few months during the pandemic. One crime that’s easily overlooked while combating the usual suspects and facilitated by COVID-19 is ransomware.

COVID-19 and Ransomware

COVID-19 and ransomware are providing a uniquely beneficial environment for criminals to launch attacks, medical systems are more vital than ever and they’re notoriously easy targets for malware.

But even if we weren’t all living with COVID-19 dominating the world economy, the rate of ransomware attacks is increasing regardless. Projections suggest that by 2021 a new ransomware attack will be launched on a new business every 11 seconds, many of these attacks will be made at scale by criminals looking to exploit known software vulnerabilities.

Ransomware attacks gained prominence on the international stage in May 2017 with the infamous WannaCry attack. That incident used an exploit in Windows OS to lock users out of medical systems and hold access to data hostage.

One of the key drivers behind the WannaCry attack was that the affected computers had not updated their software in years. So while many businesses will be well guarded against those types of exploits, they are far from the only vector for ransomware attacks. Phishing and spear phishing attacks, in conjunction with other social engineering tricks, are completely viable ways for criminals to breach security and access data.

ransomware covid-19 lifecycle

Ransomware is a blight on society at the best of times. During a pandemic, it could be a complete disaster. Hospitals and medical facilities have been warned by Interpol that they’re at risk of being targeted by ransomware attackers during a time of heightened panic and communication in the medical world. Combined with a notoriety for having woefully outdated IT systems, it’s possible that medical facilities in use today are running software with a known exploit.

So why does this matter to financial institutions and anyone processing money? Often these attacks block users from accessing data, payment for access is demanded, digital payment is made and the access restored. However, now the ransomers have a significant amount of digital currency (often bitcoin) and need to liquidate it into cash and transfer it into their accounts. And to accomplish this, they’ll need to use the financial system.

FIs and related businesses need to make sure that they’re not facilitating ransomware payments. In some instances, this is a case of AML, but it can also be an issue of avoiding sanctions breaches.

Ransomware and Sanctions Breaches

Ransomware is a popular tool used by certain sanctioned countries to obtain funds. It’s especially useful for nations that have been sanctioned on multiple fronts and effectively cut out from the world economy. North Korea has been accused of doing this on several occasions, including the WannaCry attack.

It’s a lucrative endeavor, especially when carried out at a national scale. Pyongyang’s cyberattacks are innovative, effective and worth an estimated $2 billion. Examined at a distance, it’s unsurprising that a sanctioned entity would use cyberattacks to raise capital when shut out from the global market.

Malware and ransomware attacks have not seen a great deal of coverage in industry press since the pandemic began. But given that ransom payments can now be considered a sanctions breach in the correct set of circumstances, it’s worth FIs paying closer attention.

FIs should always file a suspicious activity report (SAR) when encountering a ransomware payment or request and work with the relevant FIU or FCU. Making this standard practice helps prevent information from being siloed and assists in tracking down the criminal. But allowing that transaction in the first place is rarely a simple issue.

Facilitating the payment of a ransom itself may render FIs liable for a sanctions breach. Two Iran-based individuals who were sanctioned by OFAC under the Specially Designated Nationals (SDN) list facilitated the liquidation of funds from a ransomware attack in 2016.

However, due to the perpetrators being sanctioned and the relevant digital wallet addresses being ascribed to those sanctioned individuals, it meant FIs were exposed to potential secondary sanctions. With respect to the Iran-based individuals who moved funds from bitcoin to Iranian rial, OFAC issued a statement at the time, commenting: “Regardless of whether a transaction is denominated in a digital currency or traditional fiat currency, OFAC compliance obligations are the same.”

Understanding Ransomed Funds

OFAC has previously expressed that US businesses need to know the details of who is receiving remittances, even when made to a digital wallet, a position supported by FATF’s Travel Rule. Failure to do so could result in severe penalties.

Payments due to ransomware are yet to be tested by regulators. There is a general sense of understanding that these payments are not by choice, businesses have been extorted out of their money and the FIs that assist in the payment process are simply facilitating a function for customer business operations. It’s unknown whether or not this will change, but expectations do seem to be shifting around whether or not the funds are being sent to sanctioned entities or not.

If in future FIs are compelled to know the identities of who they’re sending money to then ransomware attacks are going to take on a new level of intelligence-gathering. Making sure that compliance teams are able to devote the necessary time to researching will be key.

After a ransomware attack has been made, the ransom paid and the money liquidated it’s layered into the financial system. However, that doesn’t mean it needs to go unnoticed.

Robust transaction monitoring that’s automated means compliance officers can spend more time focused on drilling into any suspicious activity and examining who recipients of money really are.

Transaction monitoring is a common bottleneck for compliance functions. Reviewing transactions can be a laborious process and searching for patterns can be tiresome. It’s no secret that criminals are moving money in new ways and trying to camouflage in with the frenetic money movement of global financial panic. But using an automated solution will allow you to set bespoke rules for the quirk in behavior that’s different from the norm and identify which transactions are conveying illicit money.

During COVID-19 ransomware is just one vector that criminals will be using more than usual to gain criminally-obtained money. But it needs to be recognized and prepared for. Failure to do so could have extensive consequences for any financial institution.

Originally published April 22, 2020, updated November 17, 2021

Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.

Copyright © 2023 IVXS UK Limited (trading as ComplyAdvantage).