With reported ransomware incidents skyrocketing in the first six months of 2021, government officials have identified emerging money laundering tactics utilized by cybercriminals behind these attacks to accept and transfer ransom payments.
A Financial Crimes Enforcement Network (FinCEN) report released on Friday found that the number of ransomware-related suspicious activity reports (SARs) has “grown rapidly” in the period between January and June of this year. The briefing came on the heels of the Anti-Money Laundering Act of 2020, which required FinCEN to periodically publish threat patterns gathered from suspicious activity reports by financial institutions. FinCEN is a bureau of the Department of the Treasury charged with safeguarding the financial system from illicit use and combating money laundering.
In the first six months of 2021, the number of reported transactions was up 30 percent from those reported during the entirety of 2020. The total value of reported suspicious ransomware transactions during this period ($590 million) also was up 42 percent from that reported in the entire year of 2020 ($416 million).
“If current trends continue, SARs filed in 2021 are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined, which would represent a continuing trend of substantial increases in reported year-over-year ransomware activity,” according to the report.
It’s important to note here that the identification and reporting of the attacks by financial institutions might be different from the actual attack timelines themselves - and the increase in reported incidents may also in part be due to an increased willingness to report as well as improved detection methods.
Evolving Money Laundering Efforts
Cybercriminals behind ransomware attacks are tweaking their money laundering efforts, in order to avoid detection by law enforcement.
While Bitcoin remains the most common ransomware-related payment method in reported transactions, FinCEN charted an increase in the use of anonymity enhanced cryptocurrencies (AECs) in 2021 - most notably, Monero (other examples of AECs include Zcash and Dash). AECs are a type of virtual currency that use non-public or private blockchains. This means that cybercriminals may have an easier time sidestepping policies aimed at rooting out suspicious activities, such as the Anti-Money Laundering/ Combating the Financing of Terrorism (AML/CFT) compliance controls, a set of regulations that financial institutions follow to detect and prevent money laundering.
In some instances, FinCEN observed attackers providing both a Monero and Bitcoin wallet address for ransomware payments, and imposing an extra fee - a 10 to 20 percent surcharge - for victims paying in Bitcoin. Other times, attackers would exclusively request payment in Monero, but would ultimately accept a payment in Bitcoin after negotiation. Overall, FinCEN observed 17 ransomware incidents where the attackers requested payment in Monero.
Aamir Lakhani, cybersecurity researcher and practitioner at Fortinet’s FortiGuard Labs, said alternative crypto options are becoming more popular with cybercriminals. Researchers with FortiGuard Labs recently observed a threat actor called “Tortillas” that deployed the Babuk ransomware and asked victims to pay $10,000 worth of Monero cryptocurrency in exchange for file decryption.
“Bitcoins have a public blockchain, it is not easy to track bitcoins, but there is some public investigation that can be done,” said Lakhani. “With Monero and non-public blockchains it is harder to see where money is from - or going - which is of interest to cybercriminals. For victims it is also harder to get Monero cryptocurrency.”
Avoiding Money Laundering Compliance Controls
In another effort to avoid AML/CFT compliance policies, cybercriminals are primarily utilizing foreign centralized echanges to deposit money from ransomware activities, including exchanges incorporated in “high-risk jurisdictions” with opaque ownership structures. These types of exchanges may not enforce the reporting of suspicious transactions or the “know your customer” requirements, a financial services guideline that requires knowing and keeping records on essential facts for each customer. For cryptocurrency exchanges, the information required for buying cryptocurrency may vary from a date of birth to a photo of valid government-issued identification.
“Non-compliant centralized exchanges are possibly a key step in the layering and obfuscation process of laundering funds from [convertible virtual currency] CVC to fiat currency,” according to the report.
Ransomware actors are also becoming more volatile in how they transfer funds when a ransom is paid, making transactions harder for law enforcement to track. Increasingly, attackers are avoiding the reuse of wallet addresses after receiving funds from victims, instead layering funds through multiple wallet addresses and laundering payments from each ransomware event separately. Overall, FinCEN identified 177 unique wallet addresses used for ransomware-related payments by the top 10 most commonly reported ransomware variants.
Cybercriminals are also continuing to rely on a well-known method called “chain hopping” to obfuscate the origin of their funds, by hopping between different cryptocurrencies multiple times before moving the funds to another service or platform.
“This practice allows threat actors to convert illicit BTC proceeds into an AEC like XMR at CVC exchanges or services,” according to the report. “Threat actors can then transfer the converted funds to large CVC services and MSBs with lax compliance programs.”
Ongoing Federal Efforts Against Ransomware
On the heels of several significant ransomware attacks this year the federal government is taking steps to crack down on cryptocurrency payments used for money laundering. Earlier in October, the Department of Justice announced the formation of the National Cryptocurrency Enforcement Team, a new team focused on cryptocurrencies, exchanges, and enforcing federal financial laws in how they operate. And on Friday, the Treasury Department’s Office of Foreign Assets Control (OFAC) issued guidance for promoting sanctions compliance in the cryptocurrency industry.
FinCEN made several recommendations for how companies affected by ransomware attacks could proceed, including reporting suspicious activity, contacting law enforcement and incorporating IOCs from threat data sources into intrusion detection systems.