In a few short weeks, the global loss attributable to cybercrime is expected to surpass $6 trillion.* Therefore, in an effort to protect financial institutions and consumers from further loss, agencies including the United States Securities and Exchange Commission (A Cybersecurity Wake Up Call: SEC Sanctions Eight Firms for Cybersecurity Deficiencies) and the United States Department of the Treasury Financial Crimes Enforcement Network (“FinCEN”), are prioritizing cybersecurity enforcement actions and offering guidance on how to detect and report suspicious ransomware attacks (Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments) (the “Advisory”), respectively.
The chilling factual predicate for the Advisory involves a marked increase in both cybercriminal activity and the sophistication of ransomware methods used by criminals who have successfully attacked critical U.S. infrastructure. In its effort to educate financial institutions about identifying cyberattacks, the Advisory offers 12 financial “red-flag indicators” including: (i) detecting IT enterprise activity (i.e., malicious cyber activity), which is connected to ransomware cyber indicators (e.g., suspicious registry or system file changes); (ii) awareness that a payment is in response to a ransomware incident; (iii) a customer’s convertible virtual currency (“CVC”) address being connected to ransomware related activity; (iv) an irregular transaction between an entity in a high risk sector (e.g., government, financial, healthcare), and cyber insurance companies (“CIC”); (v) receipt of funds by a CIC or incident response company that sends the equivalent amount to a CVC exchange; (vi) a customer who shows limited knowledge of CVC, yet requests information or purchases CVC; (vii) a large CVC transaction sent by a customer with limited history of CVC transactions; (viii) a customer who has not registered with FinCEN as a money transmitter, but who appears to be executing offsetting transactions between various CVCs; (ix) a customer using a foreign-located CVC exchanger in a high-risk jurisdiction; (x) a customer receiving CVC from an external wallet and immediately initiating multiple trades with no apparent related purpose; (xi) a customer initiating a transfer of funds through a “mixing service” (i.e., a mechanism used to launder ransomware payments); and (xii) a customer using an encrypted network to communicate with the recipient of a CVC transaction.
Additionally, the Advisory provides updated guidance relevant to a financial institution’s obligation to file suspicious activity reports (“SARs”). For example, the Advisory updates an October 2020 advisory to include an obligation to identify and immediately report any suspicious transactions associated with ransomware attacks. The importance of complying promptly with this new reporting obligation cannot be overstated because, according to FinCEN, ransomware attacks are serious and evolving and “require immediate attention.” Similarly, information sharing among financial institutions about attacks, attempted attacks, and vulnerabilities is invaluable for preventing future attacks. And, financial institutions need not worry that such information sharing would run afoul of confidentiality requirements, as Section 314(b) of the USA Patriot Act explicitly permits financial institutions, upon notice to the Department of the Treasury, to share information with one another in order to identify and report suspicious activities.
As the Advisory suggests, financial institutions must take an active role in detecting and reporting ransomware attacks if we are going to thwart further ransomware attacks. An advisable first step for financial institutions is to update cybersecurity policies to include these “red-flag indicators” and require personnel file immediately SARs, especially those associated with ransomware attacks. And so, as noted by the Advisory “[p]roactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency is … the best defense against ransomware.”
** The Advisory notes a 42 percent increase in cyber-crime compared to 2020 and observes the new and more savvy methods include (i) extortion schemes; (ii) anonymity-enhanced cryptocurrencies (e.g., Bitcoin); (iii) unregistered convertible virtual currency (“CVC”) “mixing” services, (i.e. a mechanism used to launder ransomware payments); and (iv) the use of “fileless” ransomware, which embeds a malicious code directly into a computer’s memory, allowing cybercriminals to circumvent antivirus and malware defenses.
*** Because financial institutions are involved with processing ransom payments to cybercriminals, the institutions themselves are becoming more vulnerable to attacks.
**** During the November 8, 2021 arrest of two cybercriminals for a series of ransomware attacks on Kaseya, a multi-national information technology software company, Deputy Attorney General Lisa Monaco stated that the FBI was able to identify the two cybercriminals because Kaseya acted “almost immediately after [it] was hit” by the ransomware attacks (Attorney General Merrick B. Garland, Deputy Attorney General Lisa O. Monaco and FBI Director Christopher Wray Deliver Remarks on Sodinokibi /REvil Ransomware Arrest
Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.
Have questions? Please contact me at email@example.com.