Risks in Paying Ransoms

Recent Fincen and OFAC Advisories Highlight Risks in Paying Ransoms

Executive summary

The FinCEN and OFAC advisories offer a warning to all those providing ransomware response services or insurance coverage for ransomware payments. The industry must ensure that:

• Ransomware payments are legally facilitated by a Treasury registered Money Service Business.
• With each ransom paid a report is filed with FinCEN.
• Prior to facilitating payment, a robust OFAC due diligence is performed based on a risk framework. A comparison of wallets to those specifically designated by OFAC is inadequate.

The advisories

When faced with a ransomware attack victim companies need certainty and confidence in the guidance issued by their response service providers. The new advisories by FinCEN and OFAC serve as clear reminders that ransomware response requires close compliance with regulatory frameworks. This includes legal transmission of funds as regulated by the Treasury, notification to law enforcement bodies and the performance of due diligence and OFAC risk assessments.

On October 1, 2020, the United States Department of the Treasury’s Office of Terrorism and Financial Intelligence issued, through the Treasury’s Financial Crimes Enforcement Network (FinCEN) and its Office of Foreign Assets Control (OFAC), two advisories on the implications of payments made or facilitated by U.S. entities in response to ransomware attacks.

FinCEN advisory summary

The advisory issued by FinCEN, entitled Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, highlighted the role played by digital forensic incident response (DFIR) companies in ransomware payments, and underscored the importance of ensuring these vendors are legally transmitting funds. Crucially, this includes having an established framework for the reporting and sharing of information related to ransomware attacks through facilitating ransom payment with a registered Money Service Business (MSB).

Using a Treasury-registered MSB ensures legal money transmission if a victim decides it must pay a ransom.

An often-overlooked part of the ransomware payment process is how the digital assets or convertible virtual currency (CVC) is facilitated. FinCEN’s advisory addressed companies that provide protection and mitigation services to victims of ransomware attacks, including DFIR and cyber insurance companies that facilitate ransomware payments to cyber-criminals. More specifically, FinCEN addresses the common practice of DFIR providers directly receiving customers’ fiat money and exchanging it for CVC, before transferring the CVC to criminal-controlled accounts. FinCEN advises that, “(d)epending on the particular facts and circumstances, this activity could constitute money transmission.” Accordingly, those facilitating CVC transfers for victims should be registered with FinCEN. By using a Treasury-registered MSB, insurance carriers and victim companies have the assurance that the CVC is legally transmitted, as the service provider abides by the Bank Secrecy Act and anti-money laundering laws in transmitting funds.

The advisory also clarified that entities acting as a money services business must file suspicious activity reports (SARs). By emphasizing this, FinCEN draws attention to the under-reporting of ransomware-related activity. It can be inferred that 1) MSBs are presently not being used to transmit funds, and 2) SARs are currently not being filed regularly, much to the detriment of law enforcement. The collateral damage of the failure to report this information to FinCEN is a lack of intelligence at government level, which impacts its ability to set appropriate policies and thwart future attacks. The filing of SARs is presented as a means of protecting not only individual organizations, but also the U.S. financial system from ransomware threats.

FinCEN highlights the fact that the information and technical indicators included in a SAR can be extremely valuable for law enforcement investigations. These indicators include “relevant email addresses, Internet Protocol (IP) addresses with their respective timestamps, login information with location and timestamps, virtual currency wallet addresses, mobile device information (such as device International Mobile Equipment Identity (IMEI) numbers), malware hashes, malicious domains, and descriptions and timing of suspicious electronic communications.”

To ensure legal money transmission in ransomware extortion payments and the compliant sharing of intelligence with the Treasury, victim companies and their insurance carriers should insist on the use of MSB to facilitate the payment.

OFAC advisory summary

The OFAC advisory has a slightly different focus, though it carries a similar message. It cautions and reminds victims of ransomware attacks, cyber insurance companies and ransomware-related services providers that paying a ransom bears the risk of violating U.S. sanction laws. The payment of ransoms in violation of sanctions significantly undermines the objectives of the U.S. sanctions programs.

OFAC makes it exceptionally clear that pressing circumstances faced in a ransomware incident do not relieve victims of their obligations to comply with sanctions, and that these obligations apply to every party in the payment chain. The includes ransomware victims as well as to companies “involved in facilitating ransomware payments on behalf of victims,” such as “cyber insurance, digital forensics and incident response, and financial services” companies, including “depository institutions and money services businesses.” This should not come as a surprise to many who operate in this space, but rather serves as a healthy reminder of the importance of partnering with a DFIR consultant who has a mature and robust compliance framework in place.

The Kivu difference

Kivu understands the gravity of the situation and in 2019 invested in becoming an MSB, as well as strengthening our due diligence processes and OFAC risk assessment framework. As consultants, we offer full-service analysis and remediation and advise that paying a ransom is only an option when there is no alternative available and when it is legally permissible. In order to do this, we use a cryptocurrency investigation tool called Chainalysis to analyze the blockchains involved in a transaction and to identify potential red flags. We also use malware analysis and threat intelligence research to track, study, and identify risk factors associated with different malware variants. All this information is valuable intelligence for law enforcement, and we regularly share our findings with local and federal bodies.

Our regulatory program includes compliance with the Bank Secrecy Act, anti-money laundering laws, FATF red flags, as well as an OFAC risk assessment framework. This means our clients can always rest assured that we – and by extension, they – comply with U.S. law with regard to ransom payments. It is all part of our commitment to provide the best DFIR services in the market.

If you want to find out more about what sets our incident response and remediation services apart from the rest, email us at info@kivuconsulting.com – we’d love to talk.