FATF reveals high-risk indicators of ransomware payments

FATF Ransomware

Global financial crime and AML/CTF watchdog the Financial Action Task Force (FATF) has released a list of 29 indicators to help identify customers who are victims or perpetrators of ransomware attacks, as part of a wider report into the global ransomware threat.

The list [pdf] – designed for public and private sector entities, including banks and virtual asset service providers (VASPs) – provides a rundown of potential risk indicators for payments made by victims as a result of a ransomware attack.

It also helps VASPs identify whether they have ransomware payment receipts or ransomware criminal accounts on their books.

For instance, the FAFT warns banks and other established FSIs to look out for high-volume transactions from the same bank account to multiple accounts at a VASP as an indicator of ransomware victim payment.

For VASPs, the FATF calls on service providers to check, for example, whether an initial large virtual asset transfer has been made for a customer account with little or no digital currency activity, whether multiple accounts are linked to the same contact details, or whether the customer appears to be using a VPN as indicators of ransomware criminal accounts.

While FATF cautions that “the existence of a single indicator in relation to a customer or transaction may not alone warrant suspicion of a ransomware offence, nor will a single indicator necessarily provide a clear indication of such an activity”, identification of these warning signs should “prompt further monitoring and examination”.

FATF also released an extensive Countering Ransomware Financing report which examines methods used by criminals to carry out ransomware attacks, as well as how ransomware payments are made and laundered.

“Criminals are almost exclusively using crypto or virtual assets, and have easy access to virtual asset service providers around the world,” FATF warns.

“Jurisdictions with weak or non-existent AML/CFT controls are therefore of concern.”

In response to the ransomware threat, the global watchdog urged financial services and regulatory authorities to implement Recommendation 15 of its 40 recommendations [PDF] to stem the tide of illicit financial flows.

Recommendation 15 requires jurisdictions to put in place measures to mitigate risks linked to virtual assets and to regulate the VASP sector.

“These efforts are critical to prevent criminals from easily accessing VASPs located in jurisdictions with weak or non-existent AML/CFT controls to launder the profit from their crimes.”

FATF also notes that ransomware attacks are a “form of extortion”, with FATF Standards requiring “that it be criminalised as a predicate offence for money laundering”.