9 ISSUE 1 | 2022 and where AML software can provide significant support. Trends and Typologies FinCEN lists the following trends and typologies for which financial institutions need to be aware. While much of the cybercrime detected comes from simple techniques such as phishing, others are becoming more sophisticated and complex. Summarized examples of these typologies are as follows: Double Extortion Schemes: Double extortion schemes involve removing sensitive data from the targeted networks, encrypting the system files, and demanding ransom. The cybercriminals then threaten to publish or sell the stolen data if the victim does not pay the ransom. Use of Anonymity-Enhanced Cryptocurrencies (AECs): Cybercriminals increasingly require or incentivize victims to pay in AECs that reduce the transparency of CVC financial flows (rather than legitimized Bitcoin) through anonymizing features, such as mixing and cryptographic enhancements. One such AEC increasingly demanded by ransomware criminals is Monero. Unregistered CVC Mixing Services: Cybercriminals often use mixers to conceal their illegal activities to protect illicit gains. Mixers are used to “break” the connection between the sender and the receiver of the CVC transaction by commingling CVC belonging to other mixer users and splitting the value into many small pieces that pass through different accounts. This is a classic layering method using innovative technology. Cashing Out Through Foreign CVC Exchanges: To launder and cash out their illicit proceeds, cybercriminals often use CVC exchanges with lax compliance controls or operate in jurisdictions with little regulatory oversight. Financial institutions should be particular attention to cryptocurrency payments through jurisdictions of concern. Cybercriminals may use these exchanges to convert “dirty” CVC to their preferred legal tender or fiat currency to integrate back into the financial system (integration). Ransomware Criminals Forming Partnerships and Sharing Resources: Many cybercriminals engage in profit sharing through ransomware-as-a-service (RaaS), a business model in which ransomware developers sell or otherwise deliver ransomware software. RaaS allows cybercriminals of varying skill levels to monetize their illicit access. As part of the profit-sharing arrangement, the RaaS developer often receives a percentage of any ransom paid by the victim. Use of “Fileless” Ransomware: Fileless ransomware is a sophisticated tool that can be challenging to detect because the malicious code is written to a computer’s memory rather than into a file on a hard drive, allowing cybercriminals to circumvent off-the-shelf antivirus and malware defenses. “Big Game Hunting” Schemes: Cybercriminals are increasingly engaging in selective targeting of larger enterprises to demand bigger payouts, a practice commonly referred to as “big game hunting.” Cybercriminals may target organizations with weaker security controls and a higher propensity to pay the ransom due to the criticality of their services. This may include community financial institutions and credit unions. Financial Red Flag Indicators of Ransomware When FinCEN issues advisories, financial institutions need to know what this means regarding their suspicious activity monitoring and reporting programs. FinCEN has identified the following financial red flag indicators of ransomware-related illicit activity that can be used in training front line staff as well as AML and fraud investigators: • A financial institution or customer detects IT activity connected to ransomware cyber indicators or known cyber threat actors. Malicious cyber activity may be evident in system log files, network traffic, or file information. • When opening a new account or during other interactions with the financial institution, the customer provides information that payment responds to a ransomware incident. • A customer’s CVC address, or an address with which a customer conducts transactions, is connected to ransomware variants, payments, or related activity. These connections may appear in open sources searches. • An irregular transaction occurs between an organization, especially a sector at high risk for targeting ransomware (e.g., government, financial, educational, healthcare) and a customer, especially one known to facilitate ransomware payments. Cybercriminals may target organizations with weaker security controls and a higher propensity to pay the ransom due to the criticality of their services. This may include community financial institutions and credit unions. Continued on page 10
RkJQdWJsaXNoZXIy MTIyNDg2OA==