The U.S. Treasury Department is warning that individuals or businesses that help facilitate ransomware payments may be violating anti-money laundering and sanctions regulations.
The warnings came in a pair of advisories, one from the Financial Crimes Enforcement Network (FinCEN) and the other from the Office of Foreign Assets Control (OFAC).
FinCEN addressed companies that provide protection and mitigation services to victims of ransomware attacks, including digital forensics and incident response companies and cyber insurance companies that facilitate ransomware payments to cybercriminals, often by directly receiving customers’ fiat funds, exchanging them for convertible virtual currency (CVC), and then transferring the CVC to criminal-controlled accounts.
“Depending on the particular facts and circumstances, this activity could constitute money transmission,” the advisory says.
Entities engaged in money services business activities are required to register with FinCEN, and must file suspicious activity reports. Persons involved in ransomware payments must also be aware of any Office of Foreign Assets Control (OFAC)-related obligations that may arise from that activity.
FinCEN’s advisory provides information on how insurers and others should effectively report and share information related to ransomware attacks.
OFAC issued an advisory highlighting the sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by malicious cyber-enabled activities. OFAC said it has imposed and will continue to impose sanctions on those who “materially assist, sponsor, or provide financial, material, or technological support” for ransomware activities.
As a general matter, OFAC said it encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. “This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services,” the government said.
“Cybercriminals have deployed ransomware attacks against our schools, hospitals, and businesses of all sizes,” said Deputy Secretary Justin G. Muzinich. “Treasury will continue to use its powerful tools to counter these malicious cyber actors and their facilitators.”
The number of ransomware attack notifications against insurance clients increased by 131 percent in 2019 and the funds demanded by the attackers surged along with the counts.
According to a recent report from specialty insurer Beazley’s Breach Response (BBR) Services, cybercriminals have been asking for seven- and even eight- figure sums in some cases.
The two most common forms of attack to deploy ransomware are phishing emails and breaching poorly secured remote desktop protocol (RDP). RDP enables employees to access their work computer desktops or company’s primary server from home with the press of a button.
Insurance executives note that insureds, not insurers, make any decision whether to pay a ransomware demand. “[A]lthough no one wants to support cyber criminals, organizations are forced to weigh the option of paying ransoms against the risk of operational disruptions that could last weeks or months and cost far more,” wrote insurance broker Marsh in a commentary last year entitled, “How Cyber Insurance Supports the Fight AGAINST Ransomware.”
*This story ran previously in our sister publication Insurance Journal.