Ransomware Financing

Anti Financial Crime

A Surging Global Threat

According to FATF Report in March 2023, ransomware incidents have grown significantly in recent years, both in number and scale. Additionally, the landscape of ransomware attacks has evolved, and attackers have adopted new techniques to increase the profitability of their endeavours and enhance the likelihood of successful attacks. These have led to a global concern on how to prevent and combat the threat. 

Ransomware is a type of malicious software that poses a significant threat to individuals, businesses, and institutions. The primary objective of ransomware attacks is to block access to a computer system or data, typically by encrypting the files or programs on IT systems. The attackers then demand a ransom payment from the victims in exchange for decrypting the information and restoring access to their systems or data.

Ransomware Process

Processing ransomware payments involves several steps and often includes multiple entities, with criminals demanding payments in virtual assets. Here’s a breakdown of the typical multi-step process: 

  • Malware Attack
    Cybercriminals initiate a ransomware attack, encrypting the victim’s data.
  • Ransom Demand
    Cybercriminals demand a ransom payment in exchange for providing the decryption key or not disclosing sensitive information.
  • Communication and Negotiation
    In some cases, there may be communication between the attackers and the victim to negotiate the ransom amount, payment method, and other details. Negotiation attempts may be facilitated through anonymous communication channels, often using encrypted messaging platforms.
  • Payment Instructions
    The criminals provide detailed instructions on how to make the ransom payment. This typically involves the use of virtual assets, such as cryptocurrencies, to maintain a degree of anonymity.
  • Cryptocurrency Transactions
    Victims, or third parties acting on behalf of victims, procure the required crypto currency using a Virtual Asset Service Provider (VASPs). This may involve purchasing cryptocurrency through an exchange or using existing holdings.
  • Transfer to Criminal Wallet
    The acquired cryptocurrency is then transferred to a wallet controlled by the criminals. Cryptocurrency wallets are digital containers that store the private keys necessary to access and control the funds.
  • Layering
    Once the cryptocurrency is received in the criminal’s wallet, they have control over the funds and start layering and making it hard to trace. Throughout the process, money services businesses (MSBs) may become involved. MSBs are financial entities that offer services such as money transfers, currency exchange, and payment processing. These businesses may play a role in converting fiat currency into cryptocurrency or the other way around and facilitating the movement of funds.
  • Conversion to fiat currency
    Criminal proceedings end in VASPS that convert virtual assets to fiat currency.
  • Deposit/Spend the fund
    Depository institutions are involved in the process while cashing out the cryptocurrencies. These institutions may include banks or other financial entities that handle traditional currency transactions. Criminals deposit, invest or spend their ransomware proceeds.

Tech Evolutions facilitating Ransomware

The rapid evolution of cutting-edge technologies has indeed played a role in enabling cybercriminals to commit ransomware crimes more efficiently. RaaS (Ransomware-as-a-Service) platforms provide cybercriminals with easy access to ransomware tools and infrastructure. This lowers the barrier to entry for less technically skilled individuals, enabling them to launch ransomware attacks with minimal effort. The dark web also provides a hidden environment where cybercriminals can communicate, collaborate, and exchange tools and services anonymously. This facilitates the buying and selling of ransomware, hacking tools, and stolen data. As said before, cryptocurrencies allow criminals to receive ransom payments anonymously. The decentralized nature of cryptocurrencies makes it challenging for law enforcement to trace and identify the recipients of ransom funds. Attackers increasingly engage in targeted attacks rather than random campaigns. They leverage machine learning and artificial intelligence to automate identifying potential targets for their attacks. 

Global Efforts to Combat Ransomware

The good news is despite lack of dedicated laws, explicitly addressing ransomware, in many jurisdictions, they often treat such attacks as a predicate offense under existing criminal statutes. This approach allows law enforcement agencies to pursue and prosecute cybercriminals engaged in ransomware activities. FATF has provided a guidance on risk indicators that can help financial institutions and VASPs to identify detect and combat ransomware financing attempts. The G7 also, has been active in addressing the ransomware threat and recognized the severity of the issue and has provided financial entities with high-level building blocks to guide them in addressing the ransomware threat. However victim reporting could be a source which enables authorities to step forward in time. In most jurisdictions, incident reporting is voluntary but victims may not have incentives to voluntarily report incidents due to post-ransom payment and lack of legal protections. For instance, paying a ransom to entities or individuals subject to sanctions can lead to legal consequences. 

In conclusion, the threat of ransomware presents a complex challenge that transcends borders and disciplines. Effectively countering this threat demands a coordinated and multifaceted approach. By fostering partnerships at the local, national, and international levels, jurisdictions can strengthen their collective defences. The escalating sophistication of ransomware, fuelled by technological advancements, highlights the need for a harmonized and structured framework to not only mitigate the immediate impact of ransomware but also to cultivate a resilient cybersecurity ecosystem for the future.

Other articles


[1] Financial Action Task Force (FATF), “Countering Ransomware Financing,” FATF, Paris, 2023

[2] Financial Action Task Force (FATF), “Countering Ransomware Financing: Potential Risk Indicators,” FATF, Paris, 2023

[3] F. C. E. N. (FinCEN), “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments,” FinCEN, Washington, D.C., 2022

[4] G7, “G7 Fundamental Elements of Ransomware Resilience for The Financial Sector,” G7, 2022

green matrix background computer generated with crime hand hack for money