Ransomware attacks targeted against organizations, ranging from government departments to multinational corporations including financial institutions (FIs) and their customers, were the top cyberthreat story of 2020. For example, the Toll Group, an Australia-based logistics company, was hit not once but twice by ransomware over a three-month period. In Nevada, the Clark County School District refused to pay ransom for stolen student data that subsequently was made available online. Finally, the $20 million ransom demanded from German tech giant Software AG resulted in a forced shutdown of all internal systems and a significant data leak for the company.1
Ransomware attacks have been getting more sophisticated and expensive; they target every sector of society and are a source of data leaks when the ransom is paid. However, ransom payments only fuel the never-ending cycle of cybercrime, encouraging more attacks and more bad actors.
In light of the events of this past year, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) released advisories signalling greater government enforcement efforts and attention to the ransomware problem.
Issued on October 1, 2020, the OFAC advisory highlighted the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities. The surge in ransomware payments during the height of the COVID-19 pandemic required a strong advisory to those facilitating such payments, including FIs, cyber insurance firms and companies involved in digital forensics and incident response, to cyber actors on behalf of victims.2 FinCEN, too, published an advisory on this date, on the importance of reporting attacks as well as sharing information and red flags around ransomware attacks and ransom payments to bring awareness to financial organizations.3
This unified advisory messaging removes any ambiguity on the U.S.’ commitment to fighting ransomware attacks. At the forefront of the action is a two-pronged approach: concentration on sanctions enforcement and the role of FIs in identifying and preventing, when appropriate, wire transfers, virtual currency exchanges and any transactions related to ransomware payments.
Ransomware payments to designated people or entities are viewed as a clear threat to the U.S.’ national security interests. With that threat as the focus, violations have traditionally resulted in fines and other appropriate enforcement penalties. However, with these new advisories, “OFAC warns that it may impose civil penalties under a strict liability standard for violations, meaning OFAC may impose civil penalties regardless of whether the person processing the payment knew or should have known that it was engaging in a transaction prohibited under sanctions laws.”4
FinCEN’s advisory is both broad and specific. “Detecting and reporting ransomware payments are vital to prevent and deter cybercriminals from deploying malicious software to extort individuals and businesses and hold ransom attackers accountable for their crimes.” FIs should ensure the appropriate red flag indicators are in place to detect, prevent and report suspicious transactions associated with ransomware attacks. They should develop protocols for suspicious activity reports (SARs) related to ransomware and ransomware payments as well as look at their incident response plans to address any issues that may arise with ransomware.5
The Scale of the Problem
At present, the ransomware threat landscape is dominated by cybercriminal entities that target organizations in attacks that both knock out a victim’s IT and steal data from the victim. If the victim is not forthcoming in paying the ransom, this data is posted to a public blog, and further extortion pressure is applied on the victim to coerce a ransom payment. As mentioned earlier in the Nevada Clark County School District (CCSD) case, this tactic of data exfiltration and extortion put pressure on the CCSD to pay a large sum of money to ensure the safety of student data. The CCSD declined and the threat actors posted the data on the Maze ransomware group’s leak site.6 This particular tactic can be traced back to Maze, first discovered in 2019, in which their public disclosures of data changed the cybercrime landscape forever.
Ransom payments only fuel the never-ending cycle of cybercrime, encouraging more attacks and more bad actors
Many of these threat actors operate from within nations that are already sanctioned by the U.S. OFAC has designated several cybercriminal and state-linked threat actor groups, including entities operating from Russia, North Korea and Iran. Just over one year ago, OFAC issued a statement that sanctioned “Evil Corp,” which operates out of Moscow and is notoriously known for the development and distribution of the Dridex and WastedLocker malware strains.7
Taking a closer look at the nations in which cybercriminals set up shop, the clear choice will be countries where weak anti-money laundering (AML) laws and controls are in place. The sheer geographic scale of the issue coupled with the expertise of such groups deems litigation increasingly challenging. For instance, criminal groups request payment via ransom schemes using convertible virtual currency (CVC) to begin transferring and receiving payment. The layering of payments utilizing money services businesses and peer-to-peer exchange across many accounts shelters the extortionist from being identified, captured and even prosecuted.
Considering the nature of the threat actors—the recipient of payment—is essential
Taken together, the OFAC and FinCEN advisories and the scale of the problem paint a complex picture for financial organizations and cyber insurance firms. The role of “ransomware response and facilitation companies” is also likely to receive additional scrutiny due to the OFAC and FinCEN advisories. It is now clear that the heightened attention to this well-organized cooperative criminal behavior is a direct call to action by the U.S. government.
The following are emerging vital questions and points:
- The OFAC and FinCEN advisories elevate payment of ransoms in the broader context of a bank’s know your customer (KYC), beneficial ownership and due diligence programs. The FinCEN advisory identifies 10 red flag indicators for FIs to look for as part of their risk-based approach.
- The time-coordinated release of these two advisories signals to FIs that it is time to consider reorganizing AML, cyber and fraud programs. Fragmented collecting and sharing of data, segmented transaction monitoring (TM), noncoordinated case management and less than efficient sanctions management result in operational gaps in addressing ransomware and other salient risk issues. Consolidation of leadership roles and refined span of control leadership configuration may be considered to increase efficiency.
- Regardless of size or geographic location, financial services organizations should avail themselves of threat intelligence information pertaining to this and other cyber-related threats and criminals.
- The advisories highlight cyber insurance companies as potential facilitators of ransom payments. It has been mooted anecdotally that paying the ransom may be a cheaper alternative than suffering the consequences of rebuilding from scratch (accounting for the loss of custom, reputational damage). Thus, cyber insurers are inclined to recommend this to policyholders. The policy dynamic around this equation could be very complicated to work out.
- Considering the nature of the threat actors—the recipient of payment—is essential. Only a small subset of the criminal groups currently active in ransomware attacks—notably Evil Corp—are subject to U.S. sanctions. Over time, indictments and sanctions are likely to be placed on more ransomware operators. Connecting these cybercriminal groups to terrorist financing, international criminal cartels and money laundering would significantly advance the global battle against this illegal activity and corruption.
- It is generally hard to know who is being paid. The victim organization and supporting companies may not have confident attribution on the ransomware operator in question, which could cause issues in interpreting documentation like the recent OFAC advisory in a sanctions context. Collaboration between criminal groups is standard, and payment to one ransomware operator may indirectly benefit another (potentially sanctioned) entity.8
- It is not certain whether historical payments made to ransomware operators could be retroactively assessed under current and future OFAC and/or FinCEN guidance. For example, the Garmin attack―in which the company reportedly made a multi-million-dollar payment to Evil Corp―could serve as a critical case study for payments being made, but nothing has been determined yet.9
- Further complications will arise where ransomware is used by state-affiliated actors as opposed to criminal ones. The WannaCry and NotPetya destructive attacks, attributed by the U.S. and United Kingdom government to North Korea and Russia respectively,10 set a precedent for this type of attack.
As the international banking community responds to the recent OFAC and FinCEN advisories, one clear path to complying with the advisories and regulatory mandates is for FIs to examine their present technological detection and reporting models to ensure they are properly capturing and addressing the behavior related to ransomware threats and demands. This review should include TM, KYC, due diligence, case management and sanctions.
The ransomware threat continues to grow and will undoubtedly persist in its current form in 2021 and beyond
Whether a more aggressive policy designed to prevent ransom payment works as a mechanism to stop this threat is unclear. Still, the recent OFAC and FinCEN advisories are a significant first step toward this. Moreover, FinCEN’s advisory reinforced the importance of reporting ransomware incidents and sharing intelligence around them because a better-shared understanding of ransomware operations is vital to preventing and pursuing the cybercriminals entities responsible.
There should be particular focus on submitting SARs, exchanging information with other FIs using section 314(b) of the USA PATRIOT Act, increasing communication with law enforcement, originating interaction with regulators and insuring internal communications across operational silos are immediate response actions that can be put into action today.
The ransomware threat continues to grow and will undoubtedly persist in its current form in 2021 and beyond.
Ultimately, the best strategy for organizations to protect against ransomware attacks should start with key elements of cybersecurity hygiene and controls:
- Ensure timely patching of any critical vulnerabilities in external-facing infrastructure (e.g., web servers, virtual private network infrastructure)
- Use multi-factor authentication where possible on vulnerable services (e.g., Remote Desktop Protocol for remote access)
- Reinforce phishing awareness through regular training exercises
These measures should be coupled with business resiliency and continuity plans. Having appropriate backups, using the 3-2-1 rule (three different copies of any important file on two different media types with one copy stored offsite),11 using offline backups and testing, and exercising response to ransomware attack are essential measures.
Robert Goldfinger, CAMS, Capt. CID (Ret), director global financial crimes solutions expert, BAE Systems Applied Intelligence, Raleigh, NC, USA, firstname.lastname@example.org
- Arielle Waldman, “10 of the biggest cyber-attacks of 2020,” Search Security, January 5, 2021, https://searchsecurity.techtarget.com/news/252494362/10-of-the-biggest-cyber-attacks
- “Ransomware Advisory,” U.S. Department of the Treasury, October 1, 2020, https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001; “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” U.S. Department of the Treasury, October 1, 2020, https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
- “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments,” Financial Crimes Enforcement Network, October 1, 2020, https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory%20Ransomware%20FINAL%20508.pdf
- “New Ransomware Advisories from OFAC and FinCEN Create Additional Challenges for Financial Institutions,” JDSUPRA, January 7, 2021, https://www.jdsupra.com/legalnews/new-ransomware-advisories-from-ofac-and-8077534/
- Arielle Waldman, “Surge in ransomware attacks threatens student data,” Search Security, October 5, 2020, https://searchsecurity.techtarget.com/news/252490094/Surge-in-ransomware-attacks-threatens-student-data
- “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware,” U.S. Department of the Treasury, December 5, 2019, https://home.treasury.gov/news/press-releases/sm845
- Alexander Martin, “Garmin ‘paid multi-million dollar ransom to criminals using Arete IR’, say sources,” Sky News, August 3, 2020, https://news.sky.com/story/garmin-paid-multi-million-dollar-ransom-to-criminals-using-arete-ir-say-sources-12041468
- “US ATTRIBUTES WANNACRY 2.0 TO NORTH KOREA,” Office for the Director of National Intelligence, December 19, 2017, https://www.dni.gov/index.php/ctiic-newsroom/item/1828-us-attributes-wannacry-2-0-to-north-korea; “Russian military ‘almost certainly’ responsible for destructive 2017 cyber attack,” National Cyber Security Centre, February 14, 2018, https://www.ncsc.gov.uk/news/russian-military-almost-certainly-responsible-destructive-2017-cyber-attack
- Matthew A. Heckathorn and Paul Ruggerio, “Data Backup Options,” United States Computer Emergency Readiness Team, 2012, https://us-cert.cisa.gov/sites/default/files/publications/data_backup_options.pdf