skip to Main Content

FinCEN, OFAC Warn VASPs of Potential Sanctions Violations for Allowing Customers to Pay Ransomware

As the severity and sophistication of ransomware attacks continue to rise across various sectors around the world, the US Department of the Treasury’s Office of Terrorism and Financial Intelligence issued two advisories to assist US individuals and businesses in efforts to combat ransomware scams and attacks. 

VASPs Face Sanctions Violation Risks for Facilitating Ransomware Payments 

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments to alert companies that engage with victims of ransomware attacks, such as banks, crypto exchanges, and cyber insurance firms, of the potential sanctions risks when facilitating ransomware payments.  

Sanctions compliance programs should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including Virtual Asset Service Providers, “not only encourage future ransomware payment demands but also may risk violating OFAC regulation.”  

According to the advisory, any transaction with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is prohibited.  

Violating OFAC sanctions can result in civil penalties based on strict liability, meaning that “a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.” Accurate blockchain analytics is crucial to ensuring VASPs outgoing transactions are not violating OFAC sanctions.  

Trends and Typologies of Ransomware and Associated Payments 

Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advisory (CYBER FIN-2020-A006) to provide information on the role of financial intermediaries in payments, ransomware trends and typologies, and related financial red flags. Financial Intermediaries, such as banks or Virtual Asset Service Providers (VASPs), play a critical role in facilitating ransomware payments. Being able to detect and report ransomware payments are a vital part of ransomware prevention. 

Figure 1—FinCEN Advisory (FIN-2020-A006)

Cybercriminals using ransomware often resort to common tactics such as phishing, however, FinCEN notes five indicators of increasing sophistication of ransomware operations: 

  • Use of “Big Game Hunting schemes where ransomware actors target larger enterprises to demand bigger payouts; 
  • Use of “Double Extortion” schemes where, on top of encrypting the system files of a target and demanding ransom, the ransomware actors also steal sensitive data and threaten to publish if another ransom isn’t paid; 
  • Use oanonymity-enhanced cryptocurrencies (AECs); 
  • Use of “fileless” ransomware written into the computer’s memory rather than into a file on a hard drive; 
  • Ransomware Criminals forming partnerships and sharing resources. 

Financial Red Flag Indicators of Ransomware and Associated Payments 

The FinCEN advisory (CYBER FIN-2020-A006) identifies ten financial red flag indicators of ransomware-related illicit activity. Red flags that can pertain to any financial institution are: 

  • IT enterprise activity is connected to cyber indicators that have been associated with possible ransomware activity or cyber threat actors known to perpetrate ransomware schemes. 
  • When opening a new account or during other interactions with the financial institution, a customer provides information that a payment is in response to a ransomware incident. 

Red flags specific to VASPs include: 

  • A customer’s CVC address, or an address with which a customer conducts transactions, appears on open sources, or commercial or government analyses have linked those addresses to ransomware strains, payments, or related activity. 
  • A digital forensics and incident response (“DFIR”), cyber insurance companies (“CIC”), or other company that has no or limited history of CVC transactions sends a large CVC transaction, particularly if outside a company’s normal business practices. 
  • A customer that has not identified itself to the CVC exchanger, or registered with FinCEN as a money transmitter, appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB. 
  • A customer initiates multiple rapid trades between multiple CVCs, especially AECs, with no apparent related purpose, which may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction. 

Red flags specific to banks and traditional financial institutions include: 

  • A transaction occurs between an organization, especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare), and a DFIR or CIC, especially one known to facilitate ransomware payments. 
  • A DFIR or CIC customer receives funds from a customer company and shortly after receipt of funds sends equivalent amounts to a CVC exchange. 
  • A customer shows limited knowledge of CVC during onboarding or via other interactions with the financial institution, yet inquires about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware. 
  • A customer uses a CVC exchanger or foreign-located MSB in a high-risk jurisdiction lacking, or known to have inadequate, AML/CFT regulations for CVC entities. 

For a bank to be able to detect any of these red flag indicators, it is important for them to first accurately detect transactions with Virtual Asset Service Providers on their payment systems. Without this ability, a bank cannot know with certainty when a customer is sending funds to a CVC exchange. Specialized tools—such as CipherTrace Aramda—are built to identify virtual asset service providers and other compliance risks stemming from crypto-asset businesses within a bank’s payment networks.  

Why IMatters 

If a ransomware victim uses a VASP to send cryptocurrency to a sanctioned actor, that VASP could be in violation of sanctions. Blockchain analysis is vital to determine the entities associated with counterparty addresses. Even if a specific crypto address isn’t designated, if it is associated with a sanctioned entity, transacting with said address is a potential sanctions violation. 

FinCEN’s Red Flag Indicators of Ransomware also highlight the necessity for banks to be able to accurately detect when customers are transacting with Virtual Asset Service Providers—something FinCEN Director Blanco made absolutely clear during a keynote address at the virtual 2020 ACAMS Las Vegas Conference.  


Read the blog post:  

Read the FinCEN Advisory: 

Read the OFAC Advisory: 


Back To Top