The Financial Crimes Enforcement Network (FinCEN) has released an updated advisory regarding ransomware and the use of financial systems to facilitate payments.
While this advisory is for financial institutions to spot suspicious payments, it’s important for HIPAA compliant healthcare organizations to understand how law enforcement is working to prevent ransomware attacks and subsequent ransom demands.
The role of financial intermediaries in facilitating ransomware payments
Financial institutions play a crucial role in the collection of ransom payments. After all, cybercriminals need to get paid somehow. Cybercriminals have lately been demanding to be paid in convertible virtual currency (CVC). A well-known example of CVC is Bitcoin.
Read more: To pay or not to pay for stolen data
There are usually multiple steps involved in paying a ransom. The victim typically sends the ransom via wire transfer, automated clearinghouse, or credit card payment to a CVC exchange. It then gets sent to a cybercriminal’s account or CVC address. The perpetrator then launders the funds through various means to convert funds into other CVCs. These transactions often occur in jurisdictions with weak anti-money laundering and countering financing of terrorism (AML/CFT) controls.
Sometimes victims may hire digital forensic and incident response (DFIR) companies to negotiate with the cybercriminal and facilitate payment. However, facilitating payments related to malicious cyber activities may violate OFAC regulations.
Trends of ransomware and associated payments
Cybercriminals will only get more sophisticated with time, and it’s important for organizations to be prepared for their next possible attack method. Some ransomware trends have included:
- Phishing campaigns
- Exploiting remote desktop protocol endpoints
- Double extortion schemes
- Triple extortion schemes
- Getting payment by using anonymity-enhanced cryptocurrencies (AECs)
- Using ransomware-as-a-service
- Implementing “fileless” ransomware
- Targeting businesses with weak security and higher propensity to pay the ransom due to the criticality of their service
How to determine if a payment is suspicious
The advisory lists 12 indicators for financial institutions to detect, prevent, and report suspicious activity.
- IT enterprise activity that is connected to ransomware cyber indicators or known cyber threat actors.
- A customer provides information that a payment is in response to a ransomware incident.
- A customer’s CVC address, or an address with which a customer conducts transactions is connected to ransomware variants, payments, or related activity.
- An irregular transaction occurs between an organization and a DFIC or cyber insurance company (CIC).
- A DFIR or CIC customer receives funds from a counterparty and shortly after receipt of funds sends equivalent amounts to a CVC exchange.
- A customer shows limited knowledge of CVC during interactions with the financial institution, yet inquires or purchases CVC.
- A customer that has no or limited history of CVC transactions sends a large CVC transaction.
- A customer that has not identified itself to the CVC exchanger, or registered with FinCEN as a money transmitter, appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB (money services businesses).
- A customer uses a foreign-located CVC exchanger in a high-risk jurisdiction lacking regulations for CVC entities
- A customer receives CVC from an external wallet, and immediately initiates multiple, rapid trades among multiple CVCs, especially AECs, with no apparent related purpose, followed by a transaction off the platform.
- A customer initiates a transfer of funds involving a mixing service (a process to break the connection between the sender and receiver).
- A customer uses an encrypted network or an unidentified web portal to communicate with the recipient of the CVC transaction.
Financial institutions should contact the proper authorities to report any suspicious transactions. It’s recommended that financial institutions consider the relevant facts and circumstances of each transaction as no single red flag indicator suggests criminal activity.
Prevent becoming a victim of a ransomware attack
According to the advisory, “Proactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency is often the best defense against ransomware.” In the long term, it’s more effective and cheaper to be proactive instead of reactive.
HIPAA compliant email is crucial for healthcare organizations to send secure emails. Paubox Email Suite Plus can help ensure that you can safely communicate with your patients directly in their inboxes. Our HITRUST CSF certified software can also block potentially malicious emails from even entering your employee’s inbox and reducing the risk of human error.