Evolving Money Laundering Efforts
Cybercriminals behind ransomware attacks are tweaking their money laundering efforts, in order to avoid detection by law enforcement.
While Bitcoin remains the most common ransomware-related payment method in reported transactions, FinCEN charted an increase in the use of anonymity enhanced cryptocurrencies (AECs) in 2021 – most notably, Monero (other examples of AECs include Zcash and Dash). AECs are a type of virtual currency that use non-public or private blockchains. This means that cybercriminals may have an easier time sidestepping policies aimed at rooting out suspicious activities, such as the Anti-Money Laundering/ Combating the Financing of Terrorism (AML/CFT) compliance controls, a set of regulations that financial institutions follow to detect and prevent money laundering.
In some instances, FinCEN observed attackers providing both a Monero and Bitcoin wallet address for ransomware payments, and imposing an extra fee – a 10 to 20 percent surcharge – for victims paying in Bitcoin. Other times, attackers would exclusively request payment in Monero, but would ultimately accept a payment in Bitcoin after negotiation. Overall, FinCEN observed 17 ransomware incidents where the attackers requested payment in Monero.
Aamir Lakhani, cybersecurity researcher and practitioner at Fortinet’s FortiGuard Labs, said alternative crypto options are becoming more popular with cybercriminals. Researchers with FortiGuard Labs recently observed a threat actor called “Tortillas” that deployed the Babuk ransomware and asked victims to pay $10,000 worth of Monero cryptocurrency in exchange for file decryption.
“Bitcoins have a public blockchain, it is not easy to track bitcoins, but there is some public investigation that can be done,” said Lakhani. “With Monero and non-public blockchains it is harder to see where money is from – or going – which is of interest to cybercriminals. For victims it is also harder to get Monero cryptocurrency.”
