FinCEN Issues Guidance on Ransomware Attacks

The prevalence, sophistication, and severity of ransomware attacks have increased anti-money laundering risks faced by financial institutions both as targets of ransomware attacks and as potential intermediaries in facilitating ransomware payments.

Executive Summary: Ransomware is a cyber-attack in which malicious software blocks access to systems or data to extort payment in exchange for restoring access to information systems and data. Due to the proliferation of ransomware attacks, on October 1, 2020, the Department of the Treasury's Financial Crimes Enforcement Network ("FinCEN") issued an Advisory providing financial institutions with guidance on ransomware trends, red flags and reporting, and sharing of information to help in identifying and handling ransomware-related transactions. Financial institutions may wish to calibrate their anti-money laundering ("AML") compliance programs to ensure they address the full scope of risks associated with ransomware attacks, including risks arising from third-party intermediaries and virtual currency exchangers. The Department of the Treasury's Office of Foreign Assets Control separately issued parallel guidance concerning sanctions risks associated with ransomware.

Growth of Ransomware Attacks: Further to the government’s continuing efforts to detect and prevent cybercrime and ransomware attacks, FinCEN’s Advisory on "Ransomware and the Use of the Financial System to Facilitate Ransom Payments" describes several trends: cybercriminals are increasingly targeting larger companies for higher payments, requiring payments using cryptocurrencies, most commonly Bitcoin, and sharing exploit kits and other resources to facilitate attacks. Although "traditional" ransomware attacks have typically demanded payment in exchange for restoring access to or availability of data or systems, attackers are increasingly using "double extortion" schemes in which they also exfiltrate data and threaten to publish or sell it if the victim does not pay the ransom.

As the financial services sector has become an increasingly attractive target for ransomware attacks, the Group of Seven ("G7") issued a statement to coordinate efforts to combat ransomware urging all countries to implement the Financial Action Task Force standards to reduce criminals’ access to and exploitation of financial services. Additionally, through the auspices of the Conference of State Bank Supervisors, together with the Bankers Electronic Crime Task Force and the U.S. Secret Service, U.S. state financial services regulators issued a Ransomware Self-Assessment Tool to help financial institutions reduce ransomware risks and identify security gaps.

Financial Intermediaries and Ransomware Payments: The Advisory highlights risks to financial institutions and intermediaries that facilitate ransomware payments as well as red flags that should trigger suspicious activity reports ("SARs") to prevent ransomware-related activity. Attackers often demand that financial institutions and other intermediaries transmit ransom payments to a virtual currency exchange to purchase virtual currencies. The Advisory indicates that the growth of ransomware attacks has led to the creation of digital forensics and incident response companies and cyber insurance companies that provide services to victims of ransomware attacks, including facilitating payments. The Advisory cautions that facilitating ransomware payments may implicate money transmission, SARs, and sanctions mandates.

The Advisory reminds financial institutions that AML rules require filing of a SAR based upon the knowledge or suspicion that a transaction involves funds derived from illegal activity or uses a financial institution to facilitate criminal activity, including payments made by financial institutions that are victims of ransomware.

Indicia or "red flags" of ransomware incidents include a digital forensics and incident response firm or cyber insurance company receiving or sending ransom payments; a customer receiving and then quickly sending funds to a virtual currency exchange; and a customer with no virtual currency history unexpectedly initiating a transaction with a convertible virtual currency exchange.

Financial institutions may wish to create a playbook to prepare for ransomware incidents by calibrating their AML compliance programs to address risks associated with ransomware attacks, including risks arising from third-party intermediaries and facilitators and virtual currency exchangers. Financial institutions should review and adjust their transaction and suspicious activity monitoring processes to detect and investigate red flags and decision-making regarding SARs filings.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.