Ransomware-related SAR Filings Soar: FinCEN Report

New guidance issued by the Financial Crimes Enforcement Network (FinCEN), the Financial Intelligence Unit (FIU) of the United States, tackles the convergence of ransomware, cryptocurrencies, money laundering, and terrorist financing.

The Financial Trend Analysis focuses on patterns and trends in the first half of 2021 and explores data on suspicious activity reports (SARs) filed by financial institutions to FinCEN. It follows the launch of the agency’s priorities for AML/CFT policy in June, which highlighted ransomware as an acute cybercrime concern.

The analysis provides important insight into the growing global threat of ransomware for compliance teams.

The report notes that there has been a rapid growth in the number of ransomware-related SARs filed between January and June, with 635 SARs filed and 458 transactions reported, a 30% increase from 487 SARs filed for the whole of 2020. The total value of suspicious activity reported in ransomware-related SARs during the first half of 2021 was $590m – up from $416m for the whole of 2020. 

FinCEN identifies six main money laundering typologies attributed to ransomware variants in 2021 that firms will want to ensure their alert thresholds are appropriately set to detect: 

• Threat actors increasingly requesting payments in anonymity-enhanced cryptocurrencies (AECs)
• Threat actors avoiding the reuse of wallet addresses
• Centralized convertible virtual currency (CVC) exchanges are preferred cash-out points
• ‘Chain hopping’ (converting a CVC into a different CVC at least once before moving funds to another service or platform) used to obscure financial trails on blockchains
• Prevalence of mixing services (websites or software designed to conceal the source or owner of CVC)
• Decentralized exchanges used to convert illicit proceeds

FinCEN also calls out Bitcoin as the most common ransomware-related payment method in reported transactions.

Recommendations to detect and mitigate cybersecurity concerns such as ransomware include: incorporating indicators of compromise (IOCs) from threat data sources into intrusion detection and security alert systems; contacting law enforcement immediately when any activity related to ransomware is suspected; highlighting cyber event indicators such as suspicious email addresses, file names, hashes, domains and IP addresses; and reviewing FinCEN’s advisory on financial red flag indicators of ransomware.

Rogue states such as North Korea have been using cryptocurrencies to commit cyber-attacks and financial crimes globally. It is believed the country is behind a growing number of thefts targeting major crypto exchanges, as well as ransomware attacks where the demanded payment is in cryptocurrency. In February, US authorities announced that three North Korean hackers had been indicted for stealing or extorting more than $1.3bn in cash and cryptocurrency from financial institutions and companies.

Preventative action in Asia Pacific

Countries throughout Asia Pacific have been tightening their regulatory and reporting practices to try and address the threat of ransomware.

In September, The Australian Cyber Security Centre reported a 15% increase in ransomware reports in 2020-21, with cyber ransoms becoming “one of the most significant threats to Australian organizations”.

The following month, the country launched its Ransomware Action Plan, setting out a comprehensive strategy to target criminals, including through new criminal charges (such as the buying or selling of malware for computer crimes) and allowing authorities to seize digital currencies linked with ransomware payments and freeze accounts. Companies with annual turnovers of more than $10m, who are hit by ransomware, will also be forced to report the incident.

Meanwhile, The Monetary Authority of Singapore has produced guidance aimed at Strengthening AML/CFT Controls of Digital Payment Token Service Providers.

In October, representatives from 32 countries including Australia, New Zealand, Japan, South Korea, and Singapore, attended a virtual Counter Ransomware Initiative Meeting hosted by the White House National Security Council, to discuss “the escalating threat ransomware poses to the global community”.

An agreement was signed to consider a range of urgent actions — including diplomacy, resilience, countering illicit finance, disruption, and other law enforcement efforts — to protect states from the threat of ransomware. A joint statement acknowledged ransomware as “one of the most significant cyber threats” with “serious economic and security consequences”.

Read more about the latest trends in crypto, decentralized finance, and cybercrime with our Mid-Year Review Report.