TOPICS

Thursday, November 11, 2021

Ransomware Payments

QUESTION
We are a large mortgage lender in the northeast. I am the Chief Compliance Officer. We have multiple platforms, licensed in all states, and maintain an extensive servicing unit. 

Jonathan, thank you for the weekly posts. And we are grateful that you provided the ransomware checklist. Most companies would make us pay for this kind of checklist, but you offered it for free. That is real commitment! And it has helped us to configure our ransomware security. 

Recently, we learned that another large lender was hit with a ransomware attack. The attacker wants to be paid in cryptocurrency. Admittedly, we are unprepared to respond to such a demand if it happens to us. Frankly, I don’t know how cryptocurrency even works in ransomware attacks. So, we are coming to you to get an understanding. 

What role does cryptocurrency play in ransomware attacks? 

ANSWER
First and foremost, thank you for subscribing. Our posts are a labor of love as an expression of our commitment to the mortgage community. HERE’s a list of some recent FAQs. 

I also appreciate that you are using our ransomware checklist. It covers preparation, response, and recovery. If anyone wants it, please click HERE. It’s free. 

I supposed we could be paid for some of the tools we provide, but our mission is to serve and share. It is certainly possible to grow a compliance firm without having to charge for every single thing we do. We are the living proof of that philosophy! 

Lenders Compliance Group has been thriving and growing since 2006. It is strong and continuing to scale because we are focused on our clients’ compliance experience. Our goal is to help a company to build and maintain a Culture of Compliance®, a term we have pioneered for many years. 

Our team consists of some of the top professionals in mortgage compliance. Believe me, it makes a difference! 

Ransomware is an escalating concern with federal and state regulators. If you are not ready for a ransomware examination, be advised, it’s on the way. Financial institutions play a critical role in the collection of ransom payments. In effect, an institution becomes a facilitator of ransomware payments, whether handling its own response to a ransomware attack or acting as a financial intermediary. 

The severity and sophistication of ransomware attacks continue to rise[i] across various sectors, particularly governmental entities and financial, educational, and healthcare institutions.[ii] Ransomware attacks on small municipalities and healthcare organizations have increased, likely due to the victims’ weaker cybersecurity controls, such as inadequate system backups and ineffective incident response capabilities.[iii] 

So, let’s take a closer look at ransomware payments, especially as these relate to cryptocurrency. 

Most ransomware schemes involve convertible virtual currency (CVC), which is the preferred payment method of ransomware perpetrators. You might as well get used to this terminology. CVC is inherent in ransomware payments. The payment process is a bit complicated, so stay with me as I discuss it. 

Let me outline a typical ransomware payment flow using CVC. After the delivery of the ransom demand occurs, a ransomware victim will usually transmit funds via wire transfer, automated clearinghouse, or credit card payment to a CVC exchange to purchase the type and amount of CVC specified by the ransomware perpetrator. Next, the victim or an entity working on the victim’s behalf sends the CVC, often from a “wallet” hosted at the exchange,[iv] to the perpetrator’s designated account or CVC address. 

Then, the perpetrator launders the funds through various means – including mixers,” “tumblers,”[v] and “chain hopping”[vi] – to convert funds into other CVCs. These transactions are often structured into smaller “smurfing”[vii] transactions involving multiple persons and across many different CVC addresses, accounts, and exchanges, including peer-to-peer (P2P)[viii] and “nested” exchanges. Criminals prefer to launder their ransomware proceeds in jurisdictions with weak anti-money laundering (AML) and countering the financing of terrorism controls. 

That’s a brief but serviceable outline of the payment process in a nutshell. 

But your company should ensure that it has a ransomware policy that covers the payment concerns and the many derivative repercussions. These other aspects and nuances are where your responsibilities as a compliance manager should also be focused. 

For instance, cyber insurance companies (CICs) and digital forensic and incident response (DFIR) companies play a role in ransomware transactions. CICs issue policies designed to mitigate an entity’s losses from various cyber incidents, such as data breaches, business interruption, and network damage. CICs may reimburse policyholders for particular remediation services, including the use of DFIRs if needed. Indeed, as part of incident remediation, some financial institutions have hired a DFIR company to negotiate with the cybercriminal, facilitate payment to the cybercriminal, and investigate the source of the cybersecurity breach. 

Some DFIR companies and CICs facilitate ransomware payments to cybercriminals, often by directly receiving customers’ fiat funds, exchanging them for CVC, and then transferring the CVC to criminal-controlled accounts. Thus, depending on the particular facts and circumstances, this activity could constitute money transmission. 

Of course, FinCEN does not hesitate to take action against entities and individuals engaged in money transmission if they fail to register with FinCEN or comply with their other AML obligations. 

Financial institutions involved in ransomware payments should be aware of any Office of Foreign Assets Control (OFAC)-related obligations that may arise from that activity.[ix] On September 21, 2021, OFAC issued an updated advisory highlighting the sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by malicious cyber-enabled activities.[x] Additionally, in October 2021, OFAC issued sanctions for compliance guidance involving the virtual currency industry. That issuance provides an overview of critical items such as reporting instructions, consequences of non-compliance, and compliance best practices.[xi] 

To conclude, cybercriminals using ransomware often resort to common tactics, such as wide-scale phishing and targeted spear-phishing campaigns that induce victims to download a malicious file or go to a malicious site, exploit remote desktop protocol endpoints and software vulnerabilities, or deploy “drive-by” malware attacks that host malicious code on legitimate websites. Proactive prevention through effective “cyber hygiene,” cybersecurity controls, and business continuity resiliency is

often the best defense against ransomware.[xii] 

If you want information about our ransomware checklist and policy or other compliance resources, please click HERE. 


Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

______________________________   
[i] The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) received 20% more reports of ransomware incidents in 2020 than in 2019, with a 225% increase in ransom demands, totaling $29 million in 2020 up from $9 million in 2019. See FBI IC3, 2020 Internet Crime Report, (2020). In the first six months of 2021, FinCEN identified $590 million in ransomware-related SARs, a 42 percent increase, compared to 2020’s total of $416 million. See FinCEN 2021 Ransomware Report, at 3 (October 15, 2021).
[ii] See FinCEN Advisory, FIN-2019-A005, “Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic,” (July 30, 2020).
[iii] See FinCEN 2021 Ransomware Report, at 3 (October 15, 2021). Also see generally DHS Cybersecurity & Infrastructure Security Agency (CISA), Ransomware Guide, (September 2020).
[iv] “Hosted wallets” are CVC wallets where the CVC exchange receives, stores, and transmits the CVCs on behalf of their accountholders. See FinCEN Guidance, FIN-2019-G001, “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,” (May 9, 2019).
[v] Mixing or tumbling involves the use of mechanisms to break the connection between an address sending CVC and the addresses receiving CVC. For more information, see FinCEN 2021 Ransomware Report, at 13 (October 15, 2021).
[vi] Chain hopping is a “cross-virtual-asset” layering technique for users attempting to conceal criminal behavior. Criminals obfuscate the trail of virtual currency by shifting the trail of transactions from the blockchain of one virtual currency to the blockchain of another virtual currency, often in rapid succession. See DOJ Cryptocurrency Enforcement Framework, at 41-44.
[vii] Smurfing refers to a layering technique in money laundering that involves breaking total amounts of funds into smaller amounts to move through multiple accounts before arriving at the ultimate beneficiary.
[viii] P2P exchangers are individuals or entities offering to exchange fiat currencies for virtual currencies or one virtual currency for another virtual currency. P2P exchangers usually operate informally, typically advertising and marketing their services through online classified advertisements or fora, social media, and by word of mouth. See FinCEN Advisory, FIN-2019-A003, “Advisory on Illicit Activity Involving Convertible Virtual Currency,” (May 9, 2019).
[ix] See OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (October 15, 2021); FinCEN Ransomware Report 2021, at 13 (October 15, 2021); and White House, FACT SHEET: Ongoing Public U.S. Efforts to Counter Ransomware, (October 13, 2021).
[x] See OFAC, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” (September 21, 2021).
[xi] See OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (October 15, 2021).
[xii] See FBI and DHS CISA, “Joint Cybersecurity Advisory: Ransomware Awareness for Holidays and Weekends,” (August 31, 2021).