3 minute read
LAW & TAX Ransomware steps up game
• Techniques of cyber criminals improve efficiency, profitability
Aslam Moosajee & Olonathando Nxumalo ENSafrica
Cyber criminals have developed new ransomware techniques to improve the efficiency and profitability of their attacks
These include targeting large and high-value entities such as governments and the health care sector (also known as “big game hunting”), and the selling of userfriendly ransomware software kits (also known as ransomware as a service)
This has led to a significant increase in ransomware payments globally, although these attacks still remain underreported in some jurisdictions
Ransomware is a type of malicious software (malware) that is used by criminals to deny users access to data, systems or networks while demanding to be paid a ransom in exchange In addition to the threats relating to the disrupted systems, criminals often threaten to publish the victim’ s data if the ransom is not paid (double extortion)
These attacks are often conducted by various criminals across different jurisdic- tions, which makes it difficult to trace the flow of money
Furthermore, cyber criminals demand to be paid almost exclusively in virtual assets, which are a “digital representation of value that can be digitally traded or transferred, and can be used for payment or investment purpose ” such as bitcoin
The payments are made through the use of Virtual Asset Service Providers (VASPs) The cross-border nature of virtual assets allows criminals to make large-scale cross-border transactions, nearly instantaneously, without involving institutions with anti-money laundering/ countering the financing of terrorism (AML/CFT) obligations They also use VASPs within jurisdictions with weak or nonexistent AML/ CFT controls, which allows them to cash out their illicit proceeds in fiat currency
The Financial Action Task Force (FATF) conducted a study that was co-led by experts from Israel and the US The study was aimed at improving the global understanding of ransomware payments as well as good practices to counter these payments and related money laundering The FATF report details methods to identify and report ransomware payments, how these proceeds are laundered and efficient ways to prevent, detect and investigate financial flows related to ransomware
Typical financial flow of ransomware payments:
● Ransomware criminals, using anonymous enhancing techniques, disrupt or disable the systems of institutions and/or businesses, until the payment of the ransom by means of virtual assets;
● The victim or a third party acting on the victim’ s behalf, such as an insurance company, purchases virtual assets from a VASP;
● A payment of the specified type and amount of virtual assets is then made to the criminals;
● Criminals use different techniques to conceal any links between the payment and the crime;
● They further use VASPs located in jurisdictions outside where they are based, to convert the laundered virtual assets into fiat currency; and
● Criminals then deposit, invest or spend their ransomware proceeds
GOOD PRACTICES FOR THE INVESTIGATION, PROSECUTION AND RECOVERY OF RANSOM PROCEEDS
A multidisciplinary approach is required to counter the ransomware payment and related money laundering
This approach includes:
A legal framework
● Jurisdictions should criminalise ransomware as an offence For example it can be criminalised as a type of extortion; and
● Jurisdictions should accelerate compliance with relevant money laundering FATF standards on the VASP sector This will ensure that VASPs are complying with the necessary AML/CFT obligations required to capture critical financial information and report suspicious transactions
Detection and reporting
● Jurisdictions are encour- aged to have communication channels with institutions that are not subjected to the AML/CTF obligations such as incident response companies as they are often informed first about the attacks by their client This will ensure that ransomware attacks are reported and detected timeously;
● Jurisdictions should support regulated entities such as banks and other financial institutions to detect and report suspicious transactions as they may not have insight of a ransomware payment or related money laundering since it involves virtual assets The support needed may include sharing trends detection guides and red flag indicators; and
● Jurisdictions should also encourage victims to report ransomware attacks to relevant authorities promptly Raising awareness of available support and safe reporting channels can facilitate this Quick reporting is crucial to trace the financial flow and facilitate a successful investigation as transactions move quickly It can also aid in the speedy recovery of the paid ransom Jurisdictions can be informed about ransomware attacks through information shared by other jurisdictions International co-operation mutual legal assistance and informal
CONTINUED ON
