FATF Urges Countries to Take Immediate Steps to Identify and Disrupt Ransomware Financial Flows

On February 22-24, the second Financial Action Task Force (FATF) plenary under the two-year Singapore Presidency of T. Raja Kumar took place. A core focus was the increasing scale and number of ransomware attacks, particularly highlighting the misuse of virtual assets (VAs) allowing criminals to escape undetected with large amounts of money.

Other discussions at the plenary centered around:

• Changes to the grey list
• Suspending the membership of the Russian Federation
• Improving the transparency of beneficial ownership
• Improving awareness and understanding of the risks associated with the art and antiquities markets
• The FATF Vice Presidency (2023-2025)

Focus on Crybercrime

In November 2022, the Financial Crimes Enforcement Network (FinCEN) published a Financial Trend Analysis report on ransomware trends in Banking Secrecy Act (BSA) data between July 2021 and December 2021. The analysis found that reported ransomware-related incidents had increased by over 50% from 2020. Furthermore, research from AAG found that US organizations accounted for 47% of ransomware attacks in 2022. 

To counter illicit finance related to cyber-enabled crime more effectively and better understand the challenges at large, the FATF announced it had completed research analyzing the methods criminals use to carry out their ransomware attacks and how the ransom payments are laundered. While the full report will be issued in March 2023, the FATF provided the following guidance for authorities to help them tackle the laundering of ransomware payments:

• Build on and leverage existing international cooperation mechanisms
• Develop the necessary tools and skills to collect key information quickly, trace nearly instantaneous virtual transactions, and recover VAs before they dissipate
• Extend collaboration beyond traditional counterparts to include cyber-security and data protection agencies

In light of the upcoming report, the FATF also agreed to create a roadmap to strengthen the implementation of FATF Standards on VAs and virtual asset service providers (VASPs). A review will take place regarding the current levels of implementation across the global network. The FATF aims to report back on its stocktake during the first half of 2024.

Identifying and Disrupting Ransomware

When presenting its 2022-2024 objectives in July 2022, the FATF noted that many jurisdictions are finding it challenging to stop or contain cyber-enabled schemes. Our 2022 and 2023 global compliance surveys echo this challenge, with cybercrime emerging as the top predicate offense of concern for compliance teams two years in a row.

As ransomware tactics continue to evolve and diversify, firms should implement robust cybersecurity controls alongside business continuity and resiliency plans. Cyber defenses should also be boosted and good cyber hygiene practiced. Additionally, compliance teams should ensure they are familiar with the ransomware typologies identified by FinCEN in its November 2021 advisory and calibrate their internal controls accordingly. These popular trends and typologies include:

• Extortion schemes that involve cybercriminals threatening to publish or sell stolen data if the victim does not pay the ransom
• “Fileless” ransomware, where malicious code is written to a computer’s memory rather than into a file on a hard drive and allows cybercriminals to circumvent off-the-shelf antivirus and malware defenses
• “Big Game Hunting” schemes, where larger enterprises are targeted and bigger payouts are demanded
• Using unregistered convertible virtual currency (CVC) mixing services to protect illicit gains and obfuscate illicit activities by “breaking” the connection between the sender and the receiver of the transaction
• Utilizing anonymity-enhanced cryptocurrencies (AECs) to reduce the transparency of CVC financial flows
• Ransomware criminals forming partnerships and sharing resources through ransomware-as-a-service (RaaS) business models

Key Takeaways

Compliance staff should ensure they keep up-to-date with the FATF’s upcoming ransomware guidance, paying close attention to the list of risk indicators that will help public and private sector entities detect suspicious activities related to cybercrime. Additional FATF guidance due to be published in March includes a document aimed at helping firms implement revised beneficial ownership requirements to stop shell companies from being “a safe haven for illicit proceeds with links to crime or terrorism.”

When filling out suspicious activity reports (SARs) related to ransomware, FinCEN reminds compliance staff to include the key term: “CYBERFIN-2021-A004” and select SAR field 42 (Cyber Event). 

To learn more about the key takeaways from February’s plenary session, read our coverage here.