QUESTION
We are a large mortgage lender in the northeast. I am the Chief Compliance Officer. We
have multiple platforms, licensed in all states, and maintain an extensive servicing
unit.
Jonathan, thank
you for the weekly posts. And we are grateful that you provided the ransomware
checklist. Most companies would make us pay for this kind of checklist, but you
offered it for free. That is real commitment! And it has helped us to configure
our ransomware security.
Recently, we
learned that another large lender was hit with a ransomware attack. The attacker
wants to be paid in cryptocurrency. Admittedly, we are unprepared to respond to
such a demand if it happens to us. Frankly, I don’t know how cryptocurrency
even works in ransomware attacks. So, we are coming to you to get an
understanding.
What role
does cryptocurrency play in ransomware attacks?
ANSWER
First and foremost, thank you for subscribing. Our posts are a labor of love as an
expression of our commitment to the mortgage community. HERE’s a list
of some recent FAQs.
I also
appreciate that you are using our ransomware checklist. It covers preparation,
response, and recovery. If anyone wants it, please click HERE.
It’s free.
I supposed
we could be paid for some of the tools we provide, but our mission is to serve
and share. It is certainly possible to grow a compliance firm without having to
charge for every single thing we do. We are the living proof of that
philosophy!
Lenders
Compliance Group has been thriving and growing since 2006. It is strong and
continuing to scale because we are focused on our clients’ compliance experience.
Our goal is to help a company to build and maintain a Culture of Compliance®,
a term we have pioneered for many years.
Our team
consists of some of the top professionals in mortgage compliance. Believe me,
it makes a difference!
Ransomware
is an escalating concern with federal and state regulators. If you are not
ready for a ransomware examination, be advised, it’s on the way. Financial
institutions play a critical role in the collection of ransom payments. In
effect, an institution becomes a facilitator of ransomware payments, whether
handling its own response to a ransomware attack or acting as a financial
intermediary.
The
severity and sophistication of ransomware attacks continue to rise[i]
across various sectors, particularly governmental entities and financial,
educational, and healthcare institutions.[ii]
Ransomware attacks on small municipalities and healthcare organizations have
increased, likely due to the victims’ weaker cybersecurity controls, such as
inadequate system backups and ineffective incident response capabilities.[iii]
So, let’s
take a closer look at ransomware payments, especially as these relate to cryptocurrency.
Most ransomware schemes involve convertible virtual currency (CVC), which
is the preferred payment method of ransomware perpetrators. You might as well get used to
this terminology. CVC is inherent in ransomware payments. The payment process
is a bit complicated, so stay with me as I discuss it.
Let me outline
a typical ransomware payment flow using CVC. After the delivery of the ransom
demand occurs, a ransomware victim will usually transmit funds via wire
transfer, automated clearinghouse, or credit card payment to a CVC exchange to
purchase the type and amount of CVC specified by the ransomware perpetrator.
Next, the victim or an entity working on the victim’s behalf sends the CVC,
often from a “wallet” hosted at the exchange,[iv]
to the perpetrator’s designated account or CVC address.
Then, the perpetrator
launders the funds through various means – including mixers,” “tumblers,”[v]
and “chain hopping”[vi]
– to convert funds into other CVCs. These transactions are often structured
into smaller “smurfing”[vii]
transactions involving multiple persons and across many different CVC
addresses, accounts, and exchanges, including peer-to-peer (P2P)[viii]
and “nested” exchanges. Criminals prefer to launder their ransomware proceeds
in jurisdictions with weak anti-money laundering (AML) and countering the financing
of terrorism controls.
That’s a
brief but serviceable outline of the payment process in a nutshell.
But your
company should ensure that it has a ransomware policy that covers the payment
concerns and the many derivative repercussions. These other aspects and
nuances are where your responsibilities as a compliance manager should also be
focused.
For
instance, cyber insurance companies (CICs) and digital forensic and incident
response (DFIR) companies play a role in ransomware transactions. CICs issue
policies designed to mitigate an entity’s losses from various cyber incidents,
such as data breaches, business interruption, and network damage. CICs may
reimburse policyholders for particular remediation services, including the use
of DFIRs if needed. Indeed, as part of incident remediation, some financial
institutions have hired a DFIR company to negotiate with the cybercriminal,
facilitate payment to the cybercriminal, and investigate the source of the
cybersecurity breach.
Some DFIR
companies and CICs facilitate ransomware payments to cybercriminals, often by
directly receiving customers’ fiat funds, exchanging them for CVC, and then
transferring the CVC to criminal-controlled accounts. Thus, depending on the
particular facts and circumstances, this activity could constitute money
transmission.
Of course,
FinCEN does not hesitate to take action against entities and individuals
engaged in money transmission if they fail to register with FinCEN or comply
with their other AML obligations.
Financial
institutions involved in ransomware payments should be aware of any Office of
Foreign Assets Control (OFAC)-related obligations that may arise from that
activity.[ix]
On September 21, 2021, OFAC issued an updated advisory highlighting the
sanctions risks associated with facilitating ransomware payments on behalf of
victims targeted by malicious cyber-enabled activities.[x]
Additionally, in October 2021, OFAC issued sanctions for compliance guidance involving
the virtual currency industry. That issuance provides an overview of critical
items such as reporting instructions, consequences of non-compliance, and
compliance best practices.[xi]
To
conclude, cybercriminals using ransomware often resort to common tactics, such
as wide-scale phishing and targeted spear-phishing campaigns that induce
victims to download a malicious file or go to a malicious site, exploit remote
desktop protocol endpoints and software vulnerabilities, or deploy “drive-by”
malware attacks that host malicious code on legitimate websites. Proactive
prevention through effective “cyber hygiene,” cybersecurity controls, and
business continuity resiliency is
often the
best defense against ransomware.[xii]
If you
want information about our ransomware checklist and policy or other compliance
resources, please click HERE.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
______________________________
[i] The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) received 20% more reports of ransomware incidents in 2020 than in 2019, with a 225% increase in ransom demands, totaling $29 million in 2020 up from $9 million in 2019. See FBI IC3, 2020 Internet Crime Report, (2020). In the first six months of 2021, FinCEN identified $590 million in ransomware-related SARs, a 42 percent increase, compared to 2020’s total of $416 million. See FinCEN 2021 Ransomware Report, at 3 (October 15, 2021).
[ii] See FinCEN Advisory, FIN-2019-A005, “Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic,” (July 30, 2020).
[iii] See FinCEN 2021 Ransomware Report, at 3 (October 15, 2021). Also see generally DHS Cybersecurity & Infrastructure Security Agency (CISA), Ransomware Guide, (September 2020).
[iv] “Hosted wallets” are CVC wallets where the CVC exchange receives, stores, and transmits the CVCs on behalf of their accountholders. See FinCEN Guidance, FIN-2019-G001, “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,” (May 9, 2019).
[v] Mixing or tumbling involves the use of mechanisms to break the connection between an address sending CVC and the addresses receiving CVC. For more information, see FinCEN 2021 Ransomware Report, at 13 (October 15, 2021).
[vi] Chain hopping is a “cross-virtual-asset” layering technique for users attempting to conceal criminal behavior. Criminals obfuscate the trail of virtual currency by shifting the trail of transactions from the blockchain of one virtual currency to the blockchain of another virtual currency, often in rapid succession. See DOJ Cryptocurrency Enforcement Framework, at 41-44.
[vii] Smurfing refers to a layering technique in money laundering that involves breaking total amounts of funds into smaller amounts to move through multiple accounts before arriving at the ultimate beneficiary.
[viii] P2P exchangers are individuals or entities offering to exchange fiat currencies for virtual currencies or one virtual currency for another virtual currency. P2P exchangers usually operate informally, typically advertising and marketing their services through online classified advertisements or fora, social media, and by word of mouth. See FinCEN Advisory, FIN-2019-A003, “Advisory on Illicit Activity Involving Convertible Virtual Currency,” (May 9, 2019).
[ix] See OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (October 15, 2021); FinCEN Ransomware Report 2021, at 13 (October 15, 2021); and White House, FACT SHEET: Ongoing Public U.S. Efforts to Counter Ransomware, (October 13, 2021).
[x] See OFAC, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” (September 21, 2021).
[xi] See OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (October 15, 2021).
[xii] See FBI and DHS CISA, “Joint Cybersecurity Advisory: Ransomware Awareness for Holidays and Weekends,” (August 31, 2021).