red 
On March 14, the Financial Action Task Force (FATF) – the global anti-money laundering and countering the financing of terrorism (AML/CFT) standard setter – released a landmark report.
Countering Ransomware Financing aims to equip public and private stakeholders – such as law enforcement agencies, regulators, virtual asset service providers (VASPs) and financial institutions – with the insights needed to address the financial flows associated with ransomware, which has been one of the fastest growing and disruptive forms of cybercrime in recent years.
Central to the FATF’s plea to crack down on ransomware is shedding light on the illicit financial flows of ransomware gangs and their support networks – financial flows that mostly occur in crypto-assets. Indeed, concurrent regulatory developments increasingly require compliance officers at VASPs and financial institutions to understand how to identify and manage ransomware-related financial crime risks.
Ransomware and money laundering risks
Ransomware is a form of cybercrime in which cybercriminals use malicious software to encrypt data on victims’ computers or deny them access to critical systems and demand the payment of a ransom in exchange for restoring access to the victim. Ransomware has been around for several decades, and has become particularly lucrative in recent years as cybercriminal gangs have identified ways to launch attacks with increasing effectiveness and efficiency.
Using a technique known as Big Game Hunting, ransomware groups now routinely target hospitals, government offices, energy firms and other critical infrastructure to try to generate the largest possible ransoms. In recent years, ransomware gangs – many of which operate out of Russia, as well as jurisdictions such as Iran and North Korea – have collected hundreds of millions of dollars annually by extracting large ransoms from their victims.
The perpetrators of these attacks are Russian ransomware organizations such as the DarkSide, Conti and Ryuk gangs, as well as the North Korean cybercrime group Lazarus Group.
Crypto assets have contributed significantly to the growth of ransomware. Almost all ransomware payments are made in Bitcoin, allowing attackers to receive payments from victims into private Bitcoin wallets that are not held by a regulated institution.
However, after receiving payment in Bitcoin from their victims, ransomware attackers generally need to convert their funds at a crypto exchange or other VASP into fiat currencies, such as Russian rubles, euros, or other currencies. And because the Bitcoin blockchain is highly transparent, the flow of funds from these attacks can be watched as ransomware gangs attempt to launder them through the crypto ecosystem.
This activity, in turn, can generate indicators of money laundering that compliance officers can detect – some of which FATF has detailed in its reports, and regulators such as the US Treasury’s Financial Crimes Enforcement Network (FinCEN) have also documented in notices to the private sector.
Some key signs of money laundering and behaviors that often appear in ransomware cases include:
- Funds from ransomware attacks are sent to cryptoasset exchanges with minimal or no AML/CFT controls and/or based in high-risk jurisdictions, such as the Bitzlato exchange, which FinCEN identified as a primary problem of money laundering under Article 9714 of the Law on Combating Money Laundering in Russia.
- Attackers send their funds via cryptoassets mixing services and other obfuscation technologies aimed at breaking the trail of assets on the blockchain.
- Attackers take transparent cryptoassets – such as Bitcoin – that they receive from their victims and exchange them for highly anonymous cryptoassets such as Monero.
- Attackers are setting up “chain-hopping” typology of money laundering and attempt to disguise their activity by sending funds through decentralized finance (DeFi) services, such as cross-bridges that allow users to seamlessly transfer funds across Bitcoin, Ethereum, and other blockchains.
While cryptoasset exchanges and other VASPs are most directly affected by this behavior, banks and other financial institutions must also be aware of money laundering risks. After all, when ransomware gangs exchange crypto assets for fiat currencies, they then attempt to launder those funds through the banking system.
By understanding the key red flags and typologies involved, bank compliance teams can be equipped to identify money laundering associated with ransomware.
A growing challenge to sanctions
In addition to money laundering risks, ransomware-related transactions pose growing risks and challenges to sanctions compliance.
Over the past 18 months, the US Treasury’s Office of Foreign Assets Control (OFAC) has stepped up sanctions activities targeting ransomware attackers and their support networks by freezing assets. This often includes the inclusion of cryptoasset addresses belonging to attackers and their support networks on OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).
OFAC’s actions involving ransomware include:
- In October 2020, OFAC issued guidance titled “Potential Risks of Ransomware Payment Facilitation Sanctions,” which was later updated in September 2021. The guidance explains that making or facilitating ransomware payments may result in sanctions violations if those payments benefit a sanctioned person or jurisdiction.
- Between September 2021 and April 2022, OFAC sanctioned three cryptoasset exchanges registered in Eastern Europe – SUEX, Chatex and Garantex – which he accused of laundering cryptocurrencies on behalf of ransomware gangs.
- In April 2022, OFAC also sanctioned the Hydra darknet marketplace, which allowed ransomware gangs and their affiliates to operate before being taken down by German law enforcement.
- In February 2023, OFAC took coordinated, joint action together with the UK’s Office of Financial Sanctions Enforcement (OFSI) to target ransomware gangs. OFAC and OFSI have sanctioned seven Russian nationals allegedly linked to the Conti and Ryuk ransomware campaigns.
As a result of these actions, VASPs and financial institutions must ensure that they do not facilitate prohibited payments with ransomware gangs and those who support them and are subject to sanctions.
Response to risks
Successfully fighting ransomware while complying with regulatory requirements is possible – although challenges exist. Compliance teams at VASPs and financial institutions can take steps to ensure they effectively address the associated risks.
First, compliance teams should receive training on ransomware typologies and red flags so they have the knowledge needed to detect potential money laundering or sanctions evasion activity.
Second, compliance teams should familiarize themselves with evolving regulatory requirements and notices related to ransomware—especially OFAC’s sanctions requirements—and should ensure that their policies and procedures reflect these developments.
Finally, compliance teams at VASPs and financial institutions should use block analysis solutions to detect red flags and other indicators of ransomware-related cryptoasset transaction risks. This should include the use of blockchain analysis solutions that can identify on-chain asset flows indicative of money laundering typologies that are increasingly used on-chain.
As a rapidly evolving form of cybercrime, ransomware activity presents significant compliance challenges. However, by taking the above steps, compliance teams can work to successfully manage risk.
Originally published by Thomson Reuters © Thomson Reuters.
Crypto Crime Global Compliance
