On 14 March, the Financial Action Task Force (FATF), the international standard-setter on combating money laundering and terrorist financing, released its first ever dedicated report on ransomware.
Ransomware is a type of malicious software (malware) used by cybercriminals to deny access to data, systems, or networks, subject to a ransom payment.
Why do we need this report now?
The use of ransomware has grown precipitously over the past three years. It has also become more technically sophisticated, with the development of so-called ransom-as-a-service products, the use of multiple layers of extortion and the deployment of ransomware by nation states to impact the national security of others. We are also seeing more “big game hunting”, with cybercriminals targeting high-earning organizations to maximize their illicit profits.
TL:DR - what does the report say?
First, the report sets out the nature of the threat. Over half of attacks target the public, healthcare and industrial sectors. Geographically, Europe and North America are targeted the most, with 80% of all attacks, while the Middle East and Africa appear to be targeted the least. Despite this, the report notes that developing countries are also at risk and should be proactively prepared for attacks.
As for the laundering of ransoms, the report highlights that the payment and subsequent laundering of ransomware proceeds is “almost exclusively conducted through virtual assets”. It finds that Bitcoin accounts for 99% of payments, with Monero making up the rest.
The report lists the following common aspects of ransomware money laundering:
- The use of anonymity-enhancing technologies, techniques and tokens such as peel chains to obscure the source of funds. Peel chains utilize several intermediary accounts to move funds, each time siphoning off a small amount into another account.
- The role of mixers and privacy coins in money laundering – however as noted above, most payments are made in Bitcoin.
- The limited (but perhaps increasing) use of DeFi protocols to layer ransomware funds ahead of offramping into fiat currency.
- Common use of virtual asset service providers (VASPs) in high risk jurisdictions with lower levels of KYC controls to offramp funds.
- Finally, the use of money mules– individuals who handle transactions on the behalf of others– to establish accounts to launder money for criminal groups.
How are countries responding to the risk posed by ransomware?
The second half of the report examines how countries should respond to the threat posed by ransomware.
The report underlines that in order for investigations to be successfully initiated, countries should criminalize ransomware in law, instead of solely relying on established charges such as extortion or computer-related crime, and ensure that they have fully implemented FATF Recommendation 15 on virtual assets and VASPs, including having a properly operating Travel Rule.
Next, the FATF discusses the impact of the under-reporting of ransomware by victims, which makes it hard to detect its true level and associated financial flows. FATF praises insurance, cyber insurance and incident response companies for filing Suspicious Activity Reports (SARs) on ransomware, despite not being required to do so. In addition, VASPs have also provided a useful source of reporting on ransomware payments by filing SARs when they suspect funds are being used for a ransom or their blockchain intelligence providers identify exposure to a known ransomware wallet.
When attacks are reported, the paper lays out the best practices for financial investigation strategies to try to disrupt the crime. The most important factor of a successful investigation is speed in identifying transfers and different actors. To do so, it is vital that financial investigators broaden their skill sets to virtual asset investigatory techniques and tools, including a familiarity with blockchain analytics.
Lastly, the report stresses the importance of information-sharing and coordination to understanding and countering ransomware risks. Countries must consider ransomware in their national risk assessments to give the private sector a basic understanding of their exposure– this should be complemented with typology guidance and the outlining of red flags.
Public-private partnerships can be useful in adding further detail to this understanding. For these to be effective new relationships may need to be forged across sectors such as bringing cybersecurity and data protection bodies as well as considering the participation of other parts of the digital ecosystem.
One barrier to effective information sharing highlighted by the report is the inherent cross border nature of virtual assets. Differences in national regulatory frameworks can hinder information sharing and delay investigations. This underscores the importance of all countries implementing Recommendation 15. The report also acknowledges that some jurisdictions tolerate criminal actors and serve as havens for criminal activity.
What needs to be done?
The report concludes that “despite the recent growth in global ransomware financial flows, there is still an observable lack of investigations” into related money laundering.
With this in mind, FATF makes the following proposals:
- Countries must criminalize ‘ransomware’ as a predicate offense to money laundering
- Countries must implement Recommendation 15 and ensure compliance by regulated VASPs that operate in their jurisdictions, including with the Travel Rule
- Countries should publish more information on red flags and trends to help regulated entities detect ransomware risks and create safe channels for reporting attacks
- Authorities must build necessary specialized skills and expertise for successful financial investigations relating to ransomware, including the use of blockchain analytics and monitoring tools, and be able to seize and manage recovered assets related to ransoms
- Countries should include ransomware in their national money laundering and terrorist financing risk assessments, even if they have yet to experience ransomware themselves
- Because information-sharing across sectors and between countries in near real time is essential for disrupting ransomwarecountries should build or bolster pre-existing information sharing mechanisms.
To learn more about the cryptoasset threat landscape and stay up to date with the latest criminal trends, join TRM Academy today.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.