The US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) recently issued an advisory to remind US businesses about some aspects of ransomware scams and attacks. The advisory addresses (1) the process of making ransomware payments; (2) trends in ransomware attacks; (3) “financial red flag indicators” of ransomware activity; and (4) how to report and share information related to ransomware attacks. In the advisory, FinCEN used information from its analysis of cyber- and ransomware-related Bank Secrecy Act data, open source reporting, and law enforcement partners.
Ransomware is malicious software code that blocks access to computer systems or data, frequently by encrypting files and data. Cybercriminals use ransomware in order to extort ransom payments from victimized businesses in exchange for restoring access to such systems and data. Typically, the criminals are offering a decryption key that can be used to unlock the infected files or systems. In addition to blocking access to systems or data, some cybercriminals steal information through exfiltration and threaten to publicly distribute sensitive or proprietary data obtained from the business’s computer systems if ransom payments are not received.
Ransomware attacks are increasing in their severity and sophistication, with governmental entities and financial, educational, and healthcare institutions being significant targets. In fact, the advisory states there was a 37% increase in reporting of ransomware incidents to the Federal Bureau of Investigation in 2019 compared to 2018. Further, the advisory states that financial losses have also increased from an average dollar amount per incident of $504,000 in 2019 to $783,000 thus far in 2020. Cybercriminals often use common methods to introduce ransomware in a victimized business’s systems, such as phishing and targeted spear-phishing campaigns that prompt individuals to download a malicious file or visit a malicious site.
If a business determines that the best way to remedy a ransomware attack is to pay ransom to the cybercriminal, the payment process can be complicated. Many ransomware scams involve convertible virtual currency (CVC) like Bitcoin. The criminals desire to receive virtual currency so that they can more easily hide the source of their funds. To address the increase in ransomware incidents, new companies have formed to address such incidents, such as digital forensics and incident response (DFIR) companies and specialized companies that facilitate ransom negotiations with and payments to cybercriminals.
The advisory also contains a noncomprehensive list of “financial red flag indicators” of ransomware-related activity to help financial institutions detect, prevent, and report suspicious transactions that may be indicators of ransomware attacks. For example, a DFIR or ransom facilitator receiving funds from a customer and shortly thereafter sending the same fund amounts to a CVC exchange could be an indication of ransomware-related activity.