Inspiring industry action: How the FATF believes we can counter ransomware

This is the second article in a series that examines the rise of ransomware, which is critical for crypto businesses to understand and because they need to avoid processing associated transactions involving fraudulent addresses. Unknowingly facilitating money laundering or other illegal activities can result in regulatory sanctions, legal penalties, and reputational damage. [To read the first article, “ How Crypto Has Revolutionized the Ransomware Game”, click here.]

To avoid these risks, crypto businesses must be aware of the threats and take measures to prevent ransomware attacks and stop the flow of ransom funds. By doing so, they can operate within AML laws and regulations, and safeguard both their customers and their business.

The original mandate of the Financial Action Task Force (FATF) was to address money laundering and terrorist financing. The release of its March 2023 report, Countering Ransomware Financing, illustrates just how large a problem ransomware has become and intertwined with other criminal activity. Ransomware, in short, is too big and complex for the FATF to overlook.

The sprawling 54-page report, which you could view in its entirety here, maybe the most comprehensive analysis of ransomware published to date. While Countering Ransomware Financing provides some facts and figures on the rise of ransomware, the report shines the most when discussing countermeasures.

The general idea promoted by Countering Ransomware Financing is that the industry must work together. While it’s important that individuals and enterprises defend themselves from the threat of ransomware, this bottom-up approach is not enough. There needs to be a strong top-down initiative from industry and government leaders to curtail ransomware, across several key domains. 

Improvement of investigation skills 

Ransomware is so effective in part because authorities are under-equipped to deal with such attacks, which divides their resources into two directions. There is the whodunit aspect: They need to investigate who the cybercriminals are. There must also be a parallel investigation into where the money went, which is difficult because cybercriminals are becoming increasingly sophisticated from a technical standpoint. Authorities need to be provided with access to key information as early as possible, such as wallet addresses, cryptocurrencies used, dates of transactions, and more. This may require the collaboration of not only victims, but any of the platforms that were used, such as virtual asset service providers (VASPs).

Because most cryptocurrencies operate on a public blockchain, the FATF specifically recommended the use of blockchain analytics. This will enable them to better trace the flow of ransom funds to improve chances of identifying actors before this trail is obfuscated with mixers, privacy coins, and other tools. When identified, authorities need to act swiftly to freeze or confiscate funds as part of an effort toward asset recovery. 

The use of blockchain analytics may also help discover attacks in the first place, as many are going unreported by enterprises that fear reputational damage. In one documented case, authorities discovered that a VASP in South Africa had made ransomware payments, who feared reporting the case to avoid backlash from users. Rather than just providing blockchain analytics tools out of the box, relevant authorities must be trained with the requisite skills needed to maximize them.

Criminalization of ransomware 

Because ransomware is a relatively new phenomenon, legislation has not yet caught up. Most governments are prosecuting ransomware as predicate offenses under laws relating to extortion or other cybercrime behavior. While the FATF did not observe any cases where authorities had trouble charging criminals for predicate offenses, it still recommended the need for ransomware-specific legislation

Governments need to explicitly criminalize ransomware and all its variants, such as lockers, leakware, encryption, scareware, ransomware-as-a-service, and multi-stage attacks like triple and quadruple extortion. The FATF advised on specifically outlawing the use of ransomware for money laundering as well. Drawing a hard line on what constitutes ransomware will make it easier for governments to punish ransomware attackers, groups, and syndicates.

Criminalization can only go so far. If no ransomware crimes continue to go unreported or underreported, the laws developed against them will be moot. To this end, the FATF also called for significant involvement from VASPs and other financial institutions, such as their responsibility in reporting suspicious transactions, particularly when victims may be less apt to come forward. 

Public-private partnerships 

Governments cannot go it alone in addressing ransomware. In addition to providing governments with blockchain analytics, private enterprises need to enter into a public-private partnership (PPP) with them. Through this hub, governments and enterprises can exchange best practices, establish protocols for collaboration, and co-develop new techniques to address ransomware. 

A PPP is of course easier said than done. The biggest challenge is cultural. PPPs need to evolve beyond traditional collaborators, like banks, to include newer company types, such as virtual asset service providers, exchanges, providers of blockchain analytics, and more. Participation from governments should be equally comprehensive and include police authorities, intelligence agencies, and regulatory bodies. By having deeper collaboration, a PPP can tackle ransomware with multiple tactics and strategies.

The FATF cited Project GATEWAY as a shining example of what PPPs can achieve. Project GATEWAY is a framework for sharing relevant data about cybercrimes. Private companies are often consulted for their technical expertise, such as by identifying ransomware type and possible attackers. This information proved crucial with Operational Cycline, a June 2021 investigation into the C10p ransomware group allegedly responsible for more than US$500 million in attacks. With information provided by enterprises, authorities were able to arrest six members of the group. Similar PPPs could lead to arrests of other key leaders in ransomware groups and syndicates. 

International cooperation 

Ransomware is also effective because it transcends international lines. From one part of the globe, a ransomware group can launch attacks domestically, regionally, and internationally. To combat what is effectively a borderless crime, there needs to be greater multilateral cooperation across regional and international networks. This collaboration can be done on an ad hoc basis to fight specific types of ransomware attacks or groups. More importantly, there should be open dialogue to pursue initiatives that prevent attacks, improve policing, and increase punishment of attackers.

As with public-private partnerships, greater international cooperation is an ideal in theory, but challenging in practice. International collaboration between any organization is already difficult, and there are several features specific to the industry that make it more so. In some jurisdictions, VASPs may be unregulated, so authorities may not be able to reach out to anyone for necessary information. In other instances, VASPs may be tolerant of criminal activity: In one case, investigators requested information from an overseas VASP where ransomware funds had been transferred to, but they were uncooperative.  In still other cases, VASPs may span multiple jurisdictions, so authorities may be unsure who to exactly reach out to. 

While formal international investigations may be ideal, the FATF acknowledged that more informal cooperation structures may be more efficient at times, such as information-sharing through asset recovery networks. The FATF even recommended communication via bilateral relationships, such as designated cybercrime liaison officers, who can facilitate the exchange of information between authorities across jurisdictions. 

Ransomware is a complex and pervasive cyber threat. But it is well within the capability of the community, including individuals, enterprises, and governments, to fight back through a variety of initiatives aimed at prevention, mitigation, and investigation. By doing so, we will protect our data, finances, and reputation, which are infinitely more valuable than any ransom.

Merkle Science goes beyond blacklists, address-level, and transaction-level crime detection to allow you to customize crime detection parameters to detect sophisticated criminal behaviors that are designed to bypass detection by conventional blockchain analytics providers. Learn more about tracking ransomware with blockchain analytics.