If you see something, say something: FinCEN Updates Ransomware Attack Handling Advisory | Farrell Fritz, PC
In a few weeks, global losses from cybercrime are expected to exceed $ 6 trillion.* Therefore, in an effort to protect financial institutions and consumers from further loss, agencies, including the United States Securities and Exchange Commission (Cybersecurity wake-up call: SEC sanctions eight companies for cybersecurity shortcomings(Ransomware Reviews and Using the Financial System to Facilitate Ransom Payments) (the “Notice”), respectively.
The chilling factual predicate of the advisory implies a marked increase in both cybercrime activity and the sophistication of ransomware methods used by criminals who have successfully attacked critical US infrastructure. In its effort to educate financial institutions on the identification of cyber attacks, the Advisory offers 12 financial “warning indicators”, in particular: (i) detection of the company’s IT activity (i.e. registry changes or from the system file); (ii) knowledge that a payment is in response to a ransomware incident; (iii) the convertible virtual currency (“CVC”) address of a customer being connected to ransomware related activity; (iv) an improper transaction between an entity in a high risk industry (eg government, finance, healthcare) and cyber insurance companies (“CIC”); (v) receipt of funds by a CIC or incident response company that sends the equivalent amount to a CVC exchange; (vi) a customer who shows limited knowledge of CVC, but requests information or purchases CVC; (vii) a large HVAC transaction sent from a customer with a limited HVAC transaction history; (viii) a client who has not registered with FinCEN as a remitter, but who appears to be performing clearing transactions between various CVCs; (ix) a customer using an HVAC exchanger located abroad in a high risk jurisdiction; (x) a client receiving CVCs from an external portfolio and immediately initiating multiple transactions without any related purpose; (xi) a client initiating a funds transfer via a “mixing service” (ie a mechanism used to launder ransomware payments); and (xii) a client using an encrypted network to communicate with the recipient of a CVC transaction.
In addition, the Notice provides updated guidance regarding a financial institution‘s obligation to file Suspicious Activity Reports (“SARs”). For example, the advisory updates an October 2020 advisory to include an obligation to immediately identify and report any suspicious transactions associated with ransomware attacks. The importance of quickly complying with this new reporting requirement cannot be overstated because, according to FinCEN, ransomware attacks are serious and scalable and “require immediate attention”. Likewise, the sharing of information between financial institutions about attacks, attempted attacks and vulnerabilities is invaluable in preventing future attacks. And, financial institutions need not fear that such information sharing will violate confidentiality requirements, as Section 314 (b) of the USA Patriot Act explicitly allows financial institutions. , upon notification to the Treasury Department, to share information with each other in order to identify and report suspicious activity.
As the advisory suggests, financial institutions must take an active role in detecting and reporting ransomware attacks if we are to thwart further ransomware attacks. A recommended first step for financial institutions is to update cybersecurity policies to include these “red flags” and require staff to immediately register SARs, especially those associated with ransomware attacks. And so, as the Advisory noted “[p]proactive prevention through effective cyber hygiene, cybersecurity controls and business continuity resiliency is… the best defense against ransomware.
* Cybercrime to exceed $ 6 trillion in 2021, according to Cybersecurity Ventures
** The opinion notes a 42% increase in cybercrime compared to 2020 and observes that new and smarter methods include (i) extortion schemes; (ii) crypto-currencies with improved anonymity (for example, Bitcoin); (iii) unregistered convertible virtual currency (“CVC”) “blending” services (ie a mechanism used to launder ransomware payments); and (iv) the use of “fileless” ransomware, which embeds malicious code directly into a computer’s memory, allowing cybercriminals to bypass anti-virus and anti-malware defenses.
*** As financial institutions are involved in processing ransom payments to cybercriminals, the institutions themselves become more vulnerable to attacks.
**** During the arrest on November 8, 2021, of two cybercriminals for a series of ransomware attacks against Kaseya, a multinational information technology software company, Deputy Attorney General Lisa Monaco said the FBI was able to identify the two cybercriminals because Kaseya had acted “almost immediately after [it] was affected ‘by ransomware attacks (Attorney General Merrick B. Garland, Deputy Attorney General Lisa O. Monaco and FBI Director Christopher Wray deliver statements on Sodinokibi / REvil Ransomware arrest
Thanks to second-year associate James Maguire at the firm’s Uniondale office for his research assistance related to today’s blog.