According to the National Cyber Strategy 2022, ransomware has become “the most significant cyber threat facing the UK”, posing a danger not only to the country’s economy and businesses, but to “essential services” and “critical national infrastructure”.
Crippling business operations and threatening the privacy and security of individuals, ransomware attacks are increasing in frequency, sophistication, and impact. In a recent article for Finance Derivative, Ripjar’s Toby Butler points out that, in 2021, the UK’s financial services sector saw a 55% increase in ransomware attacks, while in 2022, the National Cyber Security Centre (NCSC) warned that 17 ransomware attacks on the UK were so severe that they required “a nationally coordinated response”. Adding to the threat, is the emergence of Wholesale Access Markets (WAM) which Toby characterises as “underground internet flea markets” that criminals use to purchase access to vulnerable networks for as little as $10 to $20.
The global ransomware threat has prompted governments and regulators to strengthen their cybersecurity infrastructure, and develop new tools to defeat cyber criminals. In 2023, the Financial Action Task Force (FATF) released its Countering Ransomware Financing report, detailing the methodologies behind ransomware along with proposals for how to more effectively disrupt attacks – including the integration of innovative technology solutions such as artificial intelligence (AI) analysis and machine learning systems.
Given the scale of the ransomware threat, it’s critical that organisations understand their risk landscapes. With that in mind, let’s take a closer look at the FATF’s report, and explore the ways that AI-enabled screening and intelligence solutions can help firms enhance their compliance capabilities and deal with key ransomware challenges.
Ransomware and Money Laundering
A typical ransomware attack involves the use of malicious software to encrypt data and block access from users, with the attackers demanding the payment of a ransom to remove the encryption. If the victims don’t pay, then they risk losing an exorbitant amount of money as a result of being unable to access critical data and network functionality.
When victims pay a ransom, criminals must find ways to launder that money, which means evading anti-money laundering (AML) and counter-financing of terrorism (CFT) controls. Ransomware attacks are anonymous, and ransom payments are often made covertly and without disclosure to law enforcement, which makes it more difficult for authorities to catch those responsible through conventional AML/CFT controls. Adding to that challenge, attackers typically demand ransom payments in virtual assets, such as cryptocurrencies, which can be transferred instantaneously and – under the right circumstances – are virtually impossible to trace.
It’s important to remember that, when firms do pay ransoms, the transfer of funds itself often violates AML/CFT regulations and exposes firms to significant criminal liability, including violations of international sanctions restrictions.
Ransomware Financing Methodologies
In its 2023 report, the FATF set out some of the most common methods and trends associated with ransomware attacks. These include:
- Malware: Ransomware attacks rely on users unwittingly introducing malware to their secure computer network. To that end, criminals will typically disguise their attack methodology as phishing attacks or fake adverts with links to malicious software, or simply launch brute-force hacking strategies to compromise network protections. The sophistication of ransomware attacks is an evolving challenge: firms must be constantly alert for suspicious emails and ensure employees are trained to recognise possible attack vectors.
- Anonymous payments: Criminals will seek to maintain their anonymity throughout the ransom payment process, including demanding ransoms in virtual assets. Once victims make payments, attackers will typically move virtual assets between multiple addresses, depositing small amounts at each address, in a technique known as a “peel chain”. Alternatively, attackers may use special software such as mixing and tumbling services that obscure connections between cryptocurrency wallets, or even move funds between different blockchains in order to thwart attempts to trace payments.
- Cross-border transfers: The FATF points out that ransomware is a global problem, affecting firms in jurisdictions around the world. However, ransomware attacks typically originate in countries with lower levels of AML and CFT regulation, and target firms in wealthier jurisdictions, particularly in Europe and North America. The transnational nature of the ransomware process, and the swift movement of virtual assets between wallets, makes tracking and catching perpetrators more challenging.
- Fiat conversion: At some point, criminals must introduce their illegal virtual assets into the traditional cash-based financial system by converting them to fiat currency. At this juncture, criminals will typically seek to cash out their proceeds in jurisdictions with very low or non-existent AML/CFT regulation, and use amenable virtual asset service providers (VASPs) to receive and convert illegal funds.
- Money mules: Ransomware attackers may engage money mules to cash out illegal funds on their behalf, coercing participation or offering payment incentives. Mules may create legitimate accounts with VASPs or use stolen identities, but their apparent disconnection from the ransomware process makes them harder for authorities to identify.
Solving Ransomware Challenges with AI
Addressing ransomware risks can be daunting, complicated and expensive, especially in a constantly-evolving threat environment where criminals work hard to monetise network vulnerabilities. However, AI represents a significant advantage in the battle against ransomware and cyber-crime, especially in the financial services industry, where the technology solutions offer powerful insights that can help firms prevent and deter future attacks.
Unstructured Data Analysis
AI is so effective in the fight against ransomware because it offers users advanced data review and analysis capabilities, including the means to harness vast amounts of unstructured data with speed, efficiency and accuracy, to generate actionable intelligence.
Cyber security experts can struggle to make sense of the vast pools of data available to them. That process can be hard enough with structured data, which is generally relatively simple to analyse, but it is significantly harder when it comes to unstructured data with data points stored in their native formats, including invoices, emails, news articles, and other types of complex online prose. AI and machine learning provide an answer to this problem. Using natural language processing algorithms, AI systems can analyse unstructured data inputs quickly, extract the relevant data points, and then generate financial intelligence.
Intelligence for Decision-Making
In the battle against ransomware, different elements of AI are essential to resolving different challenges. AI compliance tools can fuse and analyse a network for ransomware vulnerabilities, extracting information from hundreds of different systems and identifying anomalies across security logs, email, and many other sources. The tools can then combine that intelligence with internal and external threat reports. With the benefit of machine learning, AI systems are also capable of protecting against future ransomware attacks by utilising historic data to inform decision-making, anticipate ransomware attack strategies, or even address emerging network vulnerabilities.
AI can also help relevant organisations quickly respond to money laundering and terrorism financing threats by providing effective screening against the broadest range of risks, identifying potential culprits quickly using the latest unstructured data inputs from the news media.
The Importance of Data
Data is critical to preventing and addressing the ransomware threat. AI-enabled systems need to have access to vast amounts of accurate customer data in order to generate effective protections for as broad a range of ransomware threats as possible.
In practice, this means integrating data screening solutions, such as Ripjar’s Labyrinth for Threat Investigations product, that can meet your firm’s data collection and analysis requirements. Labyrinth is capable of searching millions of structured and unstructured data sources from across the world, in over 25 foreign languages, and generating actionable financial intelligence in seconds. Built with cutting-edge machine learning technology, Labyrinth gives you the power to extract the most relevant risk data from inputs in order to make faster, stronger compliance decisions, and stay one step ahead of potential attackers.