- David Tannenbaum
How Virtual Currency Exchanges can Monitor for Ransomware-related Payments
Ransomware threat actors present a national security risk to the United States, and an economic risk to everyday companies. Virtual currency exchanges need controls to detect ransom payments and identify threat actors.
Ransomware attacks present a grave threat to the U.S. homeland. These attacks are incredibly destructive to ordinary businesses and hold our critical infrastructure at risk. We are all in this together.
Over the past year, we have been quietly working with Michael McGowan from Metafor and Daniel Chirlin from Walden, Macht & Haran to develop a framework on how financial institutions (and particularly virtual currency exchanges) can analyze a ransom payment for a sanctions nexus, while collecting the necessary information to file an effective SAR.
This article lays out the foundation of that framework, and explains why virtual currency exchanges must move quickly to address the threat of ransomware. In it, we break down how virtual currency exchanges can:
Enhance their KYC and CDD programs to detect customers who present a higher risk of making a ransom payment.
Combine transaction monitoring software (e.g., traditional TM systems such as Actimize or Norkom) and Blockchain Explorer technology (e.g., Chainalysis) to detect inbound and outbound ransom payments.
Work with incident response teams to analyze the indicators of compromise, and as necessary the tactics, identified from a threat actor to determine if it is subject to sanctions.
File SARs for all relevant suspected ransomware payments, and how to include information in these SARs that is actionable by the authorities; and
Ensure that the virtual currency exchange can appropriately self-disclose potential apparent sanctions violations and obtain any mitigating credit by adhering to OFAC's ransomware guidance.
In this article we use the ransomware payment made by Colonial Energy to Darkside to demonstrate how ransoms are paid. I know, the case study is rather trite, but it hits all the high notes and contains enough public information that we wouldn't be burning our own sources and methods.
With the war raging in Ukraine, the need for adequate monitoring for ransomware payments has never been higher.