How to identify suspicious payments associated with ransomware


Due to the crucial role that financial institutions play in obtaining ransom payments, ransomware attacks are a growing concern for the financial sector. Typically, processing ransomware payments entails a multi-step process involving at least one depository institution and one or more organizations facilitating victim payments directly or indirectly, such as money services businesses (MSB).

Convertible virtual currency (CVC), the preferred means of payment for ransomware offenders, is used in most ransomware schemes. After receiving the ransom demand, a victim of ransomware typically sends money to a CVC exchange to buy the kind and quantity of CVC that the ransomware perpetrator has specified via wire transfer, automated clearinghouse, or credit card payment.

The CVC is then sent to the perpetrator’s designated account or CVC address by the victim or a third party acting on the victim’s behalf, frequently using a wallet that is stored on the exchange. The offender then uses various techniques, including mixers, tumblers, and chain hopping, to launder the money and transfer it into other CVCs. These exchanges can be divided into smaller “smurfing” exchanges involving a number of different CVC addresses, accounts, and exchanges, such as peer-to-peer (P2P) and nested exchanges. Criminals prefer to use jurisdictions with lax anti-money laundering and countering financing of terrorism (AML/CFT) regulations to launder their ransomware proceeds.

Financial institutions must immediately identify any suspicious transactions linked to ransomware attacks (including CVC exchanges) and report them. The Financial Crimes Enforcement Network (FinCEN) has identified several financial red flag indicators of ransomware-related illicit activities to help financial institutions identify, prevent, and report suspicious transactions linked to ransomware attacks.

Financial red flag indicators of ransomware payments

  • The first financial red flag is discovering malicious cyber activity by a financial institution or its client. It may be indicated by system log files, network traffic, or file information linked to ransomware cyber indicators or well-known cyber threat actors.
  • A client mentions that a payment is in response to a ransomware incident when opening a new account or in other conversations with the financial institution.
  • Payments, related activity, or ransomware variants are linked to a customer’s CVC address or address used for transactions. Open sources, private or public analyses, or commercial research may reveal these connections.
  • An erroneous transaction occurs between a DFIR or CIC, particularly one known to facilitate ransomware payments, and an organization, particularly one from a sector, at high risk of being targeted by ransomware (such as government, financial, educational, or healthcare).
  • Shortly after receiving funds from a counterparty, a DFIR or CIC customer sends equal sums to a CVC exchange.
  • A customer may be a victim of ransomware if they exhibit limited understanding of CVC during onboarding or in other interactions with the financial institution but nevertheless request or buy CVC (especially if they do so in a rush or in large quantities).
  • A large CVC transaction is sent by a customer who has little to no prior experience with CVC transactions, especially outside the company’s standard operating procedures.
  • A customer who hasn’t identified themselves to the CVC exchanger or registered as a money transmitter appears to be using the exchange’s liquidity to carry out a lot of offsetting transactions among different CVCs, which could mean that the customer is operating as an unregistered MSB.
  • A customer uses a CVC exchanger with a foreign location in a high-risk jurisdiction where there are no or insufficient AML/CFT regulations for CVC entities.
  • After receiving CVC from an external wallet, a customer quickly initiates several trades among various CVCs, particularly AECs, without any apparent reason for doing so, and then completes a transaction outside of the platform. This might be an attempt to sabotage the transaction or further obfuscate the chain of custody on the relevant blockchains.
  • A customer starts a money transfer that uses a mixing service.
  • The customer communicates with the recipient of the CVC transaction through an encrypted network (like the onion router) or an anonymous web portal.

As no single financial red flag indicates illicit or suspicious activity, financial institutions should consider each transaction’s relevant facts and circumstances in keeping with their risk-based approach to compliance.

A financial institution is required to submit a SAR if it knows, believes, or has reasons to believe that a transaction made by, at, or through it involves or aggregates to $5,000 or more in funds or assets and involves funds obtained through illegal activity, involves attempts to conceal funds obtained through illegal activity, is intended to evade regulations enacted under the BSA, lacks a business purpose, or is otherwise suspicious.

Transactions, including payments made by financial institutions, connected to illegal activity like extortion and unauthorized electronic intrusions that harm, render inoperable, or otherwise impact crucial systems are examples of reportable activity. SAR obligations are imposed on attempted and completed transactions, including extortion attempts and successful completions.