Skip to main content
November 22, 2021

FinCEN Advisory: Financial Institutions Need to Keep Up With the Changing Business of Ransomware


The Financial Crimes Enforcement Network (FinCEN) recently issued an updated version of its Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (the Advisory).1 The Advisory emphasizes that financial institutions should be on guard for signs that their customers are attempting to make or receive ransomware payments—even as the logistics of the ransomware business become increasingly complicated.


The updated Advisory, which replaces FinCEN’s October 1, 2020 advisory of the same name, comes against the backdrop of increasing ransomware attacks against US institutions and infrastructure and a rising enforcement response from the US government as the Biden Administration continues its “whole-of-government” approach to ransomware.2

The same day that FinCEN published its Advisory, the US Department of the Treasury announced that its Office of Foreign Assets Control (OFAC) had sanctioned two ransomware operators, a Ukrainian citizen and a Russian citizen, and the virtual currency exchange Chatex for their respective roles in ransomware operations.3

Relatedly, on October 6, 2021, the Department of Justice (DOJ) announced the creation of a National Cryptocurrency Enforcement Team “to tackle complex investigations and prosecutions of criminal misuses of cryptocurrency, particularly crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors.” DOJ stated that the team will the team will also assist in tracing and recovering assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups.4

The FinCEN Advisory

FinCEN’s Advisory makes clear that, although most cybercriminals require that ransomware payments be made in convertible virtual currencies (CVCs) (e.g., Bitcoin),5 nearly every ransomware payment will involve the use of at least one depository institution as an intermediary. Financial institutions are therefore in a position to play a pivotal role in identifying and reporting ransomware attacks and assisting law enforcements efforts to combat ransomware.6

To encourage and facilitate effective action by financial institutions, FinCEN has identified four types of ransomware “red flags” to which financial institutions should be alert.

1. Unprecedented CVC Transactions

Financial institutions should be alert for circumstances in which (1) a customer has no or limited history of CVC transactions and then transfers funds to a CVC exchange; or (2) a customer shows little knowledge of CVC but inquires about or purchases CVC—especially in large amounts or through rush requests.

In addition, financial institutions should note anytime a customer provides information that a payment is in response to a ransomware incident.

2. Transactions Involving Digital Forensic Response Companies or Cybersecurity Insurers

Digital forensic incident response (DFIR) companies frequently assist ransomware victims in responding to ransomware attacks; these companies may also help facilitate the ransomware payment by taking the victim’s money, converting it to CVC, and then transferring the CVC to the attacker.7

Cybersecurity liability insurance companies (CICs) also often play a role in ransomware transactions, by reimbursing policy holders for remediation efforts, including the use of a DFIR company.

Financial institutions should be alert for any instance in which an organization sends an irregular transaction to a DFIR or CIC, especially if the DFIR is known to facilitate ransomware payments and especially if the organization is in a sector at a high risk for ransomware attacks (e.g., government, financial, educational, healthcare, etc.). Similarly, financial institutions should monitor transactions where a DFIR or CIC customer receives funds from a counterparty and then quickly sends an equivalent amount to a CVC exchange.

3. Suspicious CVC Transactions

A financial institution should be alert for signs that a customer is (1) using an encrypted network (e.g., Tor) to communicate with the recipient of the CVC transaction; (2) using a CVC exchange that is based in a foreign country, particularly in a high-risk jurisdiction lacking adequate AML/CFT regulations; (3) initiating a transfer of funds using a mixing service;8 (4) receiving CVC and then initiating multiple rapid trades across multiple CVCs (especially CVCs with enhanced anonymity features) with no apparent purpose, followed by a transaction off the platform; or (5) appearing to act as an unregistered money service business by executing large numbers of offsetting transactions between CVCs.

4. Publicly-identified Ransomware Signs

Additional red flags, such as (1) knowing the “IT enterprise activity connected to ransomware cyber indicators or known cyber threat actors” and (2) whether a customer’s CVC address, or an address with which a customer conducts transactions is connected to ransomware variants,9payments, or related activity, emerge on an ongoing basis.  FinCEN identifies several sources of information on these emerging indicators, such as the Cybersecurity & Infrastructure Security Agency Technical Alerts and FinCEN’s Cyber Indicator Lists, which it encourages financial institutions to monitor.10

To help thwart the emerging threats and challenges posed by ransomware, financial institutions must stay current with changing virtual currency technologies and associated trends and typologies and may need to adjust their AML monitoring programs in order to meet their reporting obligations.

*          *          *          *          *

Financial institutions with questions about the Advisory, or individuals or entities that believe they may have been the victim of fraud, can reach out to the authors or any attorney in Arnold & Porter’s Financial Services or Privacy, Cybersecurity & Data Strategy practice.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. FinCEN Advisory, FIN-2021-A004, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (Nov. 8, 2021).

  2. Press Release, White House, FACT SHEET: Ongoing Public U.S. Efforts to Counter Ransomware (Oct. 13, 2021).

  3. Press Release, U.S. Dep’t of the Treasury, Treasury Continues to Counter Ransomware as Part of Whole-of-Government Effort; Sanctions Ransomware Operators and Virtual Currency Exchange (Nov. 8, 2021).

  4. Press Release, Department of Justice, Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team (Oct. 6, 2021).

  5. According to FinCEN’s analysis, as of June 2021, Bitcoin was the most common ransomware-related payment method. FinCEN has also identified Monero as an increasingly used CVC. FinCEN, Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021 (Oct. 21, 2021), {hereinafter FinCEN, Financial Trend Analysis}.

  6. The Advisory also makes clear that entities involved in directly or indirectly facilitating ransomware payments, e.g. digital forensic incident response (DFIR) companies or cybersecurity liability insurance companies (CICs), also need to be on guard for these red flags. In the first half of 2021, DFIR firms submitted the majority (roughly 63%) of ransomware-related suspicious activity reports (SARs). FinCEN, Financial Trend Analysis. Similarly, over that same period, CVC exchanges actually filed 19% of ransomware SARs while depository institutions filed 17% of ransomware-related SARs. Id.

  7. FinCEN, Financial Trend Analysis.

  8.  A “mixer” or “tumbler” is a service which combines the CVC of various users and then redistributes those funds to a desired CVC address. Mixers pose AML concerns because they make it harder to track CVC transactions.

  9. A ransomware “variant” is a version of ransomware that is named based on changes to the software or to denote which individual or entity is behind the malware. In its most recent analysis, FinCEN has identified 68 ransomware variants linked to SAR filings; the most commonly reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos. FinCEN, Financial Trend Analysis.

  10. See, e.g., FinCEN Advisory, FIN-2021-A004, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments n.34 (Nov. 8, 2021).