by Rob Goldfinger, CAMS
Ransomware attacks are a growing concern for the financial sector because of the critical role financial institutions play in the collection of ransom payments. The most recent cyberattack, organized by the Eastern European-based DarkSide, targeted Colonial Pipeline, a U.S. pipeline that controls nearly half the fuel flow on the East Coast between New York and Texas. These increasing threats led the Financial Crimes Enforcement Network (FinCEN) to issue an advisory on October 1, 2020 to financial institutions with guidance on ransomware and associated money laundering activities — more specifically, the predominant trends, typologies, and potential indicators of ransomware payments.
The advisory also outlined the critical role of financial intermediaries in the processing of ransomware payments, as well as the mandated reporting and information sharing requirements of ransomware attacks, notably SARS (or suspicious activity reports). On October 1, 2020 the Office of Foreign Assets Control (OFAC) also issued an advisory highlighting the risk exposure for financial institutions that may engage with criminals involved in cybercrime in violating economic sanctions imposed by governments.
Your Risk Is Their Reward
Despite best efforts by international governing bodies and law enforcement, many cybercriminals are succeeding, sharing resources to enhance the effectiveness of ransomware attacks. These kits, with ready-made malicious codes and tools, can be purchased, although in some cases they can also be accessed free of charge. Some ransomware groups are also going so far as to form partnerships and share advice, code, trends, and techniques — as well as illegally obtained information — over shared platforms (a la DarkSide).
The stakes could not be higher but the relevancy of this risk, and the full scope of requirements expected from financial institutions, continues to fall on deaf ears. Processing ransomware payments is typically a multi-step process that involves at least one depository institution and one or more money services businesses (MSB), but the process, players and even the payments are evolving. The involvement of a financial institution in paying a ransom of this kind is a major problem, especially if the receiving party is or can be linked to a sanctioned person, entity, party or government.
Other significant considerations include:
- Risk Management is Mandated: Financial institutions are mandated in their Know Your Customer (KYC) programs to have keen up to date real-time information about their customers, entities and any person/or party linked to that customer. This data, and the undertaking of its management, is typically massive but analyzing the activity or behavior of any party that may be connected to cybercrime activity or conducting business within the institution is critical.
- The Dark Web Is Playing a Bigger and Bigger Role: This new era also requires financial institutions to closely monitor the dark web and then escalate and collate this dark web-sourced information with other data for proper KYC and compliance (OFAC, sanctions, etc.). Silk Road is an example of a dark web marketplace that criminals would use to hide illicit sources of funds, typically bitcoin, to fuel illegal activities around the globe.
- Methods Are Changing: Speaking of bitcoin, recent reports have revealed that a ransom was paid by Colonial Pipeline to Darkside to release the malware/ransomware placed on the company’s information system — reportedly close to $5 million in bitcoin. Bitcoins continued and escalating use in criminal activity will likely result in even more regulations from the U.S. Securities and Exchange Commission (SEC) and similar government agencies in other jurisdictions as these types of ransomware attacks continue to increase.
A Call to Action for Finance
The financial service industry now must brace itself for a possible escalation of ransomware attacks. Seemingly caught in the middle of this situation, financial institutions need to consider upgrading internal controls and deploying technologies to not only comply with regulations but also to safeguard their own operations. Technologies like real-time streaming analytics afford organizations the ability to detect anomalies instantly to prevent further damage. Vigilance, maintaining up-to-date information and real-time analysis of data is paramount during times of changing criminal tactics and heightened risk.
Rob Goldfinger is a Certified Anti-Money Laundering Specialist (CAMS) and a founding member — and former Co-Chair — of the ACAMS Carolinas Chapter. He also serves on the ACAMS TODAY editorial and ACAMS educational task forces. An author and frequent speaker, Robert regularly appears at U.S. domestic and international conferences to discuss organizational efficiency, utilization and design of due diligence tools, threat and risk management, as well as fraud and anti-money laundering.
He is a retired law enforcement executive, having served with the Rochester New York Police Department. During his tenure in law enforcement, he held numerous leadership positions including Commanding Officer of Criminal Investigations, Director of Training and Development, and Internal Investigation Command, managing use of deadly physical force, corruption and integrity investigations.