Skip links

K&F News Brief: Treasury Announces Ransomware Compliance Guidance

On October 15, 2021, The U.S. Department of the Treasury announced new sanctions compliance guidance in the virtual currency industry from the Office of Foreign Assets Control (OFAC) and the publication of Ransomware Trends in Bank Secrecy Act Data by the Financial Crimes Enforcement Network (FinCEN). These anti-ransomware efforts are part of a broader initiative by the Biden administration to enhance national cybersecurity and prevent the exploitation of individuals and businesses through ransomware attacks.

A ransomware attack occurs when malicious software—ransomware—infects an individual’s or business’s computer network and encrypts their files until a ransom is paid to the attacker. In the last two years, it has become increasingly common for ransomware attackers to target specific victims from whom they believe they will be able to extract bigger payouts. For example, FinCEN’s Ransomware Trends report notes that entities such as small municipalities and healthcare organizations may be more vulnerable to ransomware attacks because the critical nature of their services makes them more likely to pay a ransom. Some ransomware attackers have adopted methods to increase the likelihood of payment, including a strategy known as “double extortion,” where attackers threaten to publish stolen data unless a ransom is paid. These types of attacks can obviously harm the U.S. financial sector, businesses, and the public.

FinCEN’s Ransomware Trends report is a helpful resource that analyzes ransomware-related suspicious activity reports (SARs) filed during the first half of 2021. There has been a 30 percent increase in the number of ransomware-related SARs filed in the first half of 2021 compared to the entire 2020 calendar year, and the total value of ransomware-related transactions increased from $416 million in 2020 to $590 million in just the first six months of 2021. Of these transactions, FinCEN identified 68 variants of ransomware and 177 unique convertible currency (CVC) wallets used to receive ransom payments associated with the 10 most common variants.

It is difficult for law enforcement to trace ransomware transactions because attackers often request payments in anonymity-enhanced cryptocurrencies (AECs) and use mixing services and decentralized exchanges to receive proceeds. Given these barriers to enforcement, the Treasury Department strongly recommends that individuals be vigilant and take action to mitigate the effects of ransomware attacks, including:

  • Incorporating indicators of compromise (IOCs) from FinCEN’s report into intrusion detection systems and security alert systems to help report suspicious activity.
  • Contacting law enforcement when they detect ransomware-related activity.
  • Reporting suspicious activity to FinCEN, including suspicious email addresses, file names, hashes, domains, and IP addresses.
  • Reviewing financial red flag indicators of ransomware published in FinCEN’s October 2020 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments.

Click here for more information on the Treasury Department’s efforts to combat ransomware attacks.