Combating Ransomware: A Multidisciplinary Approach for Efficient Investigation and Recovery of Ransom Proceeds 

March, 2023 - Aslam Moosajee, Olonathando Nxumalo

Cyber criminals have developed new ransomware techniques to improve the efficiency and profitability of their attacks. These include targeting large and high-value entities such as governments and the health care sector (also known as “big game hunting”), and the selling of user-friendly ransomware software kits (also known as ransomware as a service). This has led to a significant increase in ransomware payments globally, although these attacks remain underreported in some jurisdictions.

Ransomware is a type of malicious software (“malware”) that is used by criminals to deny users access to data, systems or networks while demanding to be paid a ransom in exchange. In addition to the threats relating to the disrupted systems, criminals often threaten to publish the victim’s data if the ransom is not paid (“double extortion”).

These attacks are often conducted by various criminals across different jurisdictions, which makes it difficult to trace the flow of money. Furthermore, cyber criminals demand to be paid almost exclusively in virtual assets, which are “digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purpose” such as bitcoin.

The payments are made through the use of Virtual Asset Service Providers (“VASPs”). The cross-border nature of virtual assets allows criminals to make large-scale cross-border transactions, nearly instantaneously, without involving institutions with anti-money laundering/ countering the financing of terrorism (“AML/CFT”) obligations. They also use VASPs within jurisdictions with weak or non-existent AML/CFT controls, which allows them to cash out their illicit proceeds in fiat currency.

The Financial Action Task Force (“FATF”) conducted a study that was co-led by experts from Israel and the United States of America. The study was aimed at improving the global understanding of ransomware payments as well as good practices to counter these payments and related money laundering. The FATF report details methods to identify and report ransomware payments, how these proceeds are laundered, and efficient ways to prevent, detect, and investigate financial flows related to ransomware.

Typical financial flow of ransomware payments:

  • ransomware criminals, using anonymous enhancing techniques, disrupt or disable the systems of institutions and/or businesses, until the payment of the ransom by means of virtual assets;
  • the victim or a third party acting on the victim’s behalf, such as an insurance company, purchases virtual assets from a VASP;
  • a payment of the specified type and amount of virtual assets is then made to the criminals;
  • criminals use different techniques to conceal any links between the payment and the crime;
  • they further use VASPs located in jurisdictions outside where they are based, to convert the laundered virtual assets into fiat currency; and
  • criminals then deposit, invest or spend their ransomware proceeds.

Good practices for the investigation, prosecution and recovery of ransom proceeds

A multidisciplinary approach is required to counter the ransomware payment and related money laundering. This approach includes:

  1. A Legal framework
    • jurisdictions should criminalise ransomware as an offence . For example it can be criminalised as a type of extortion; and
    • jurisdictions should accelerate compliance with relevant money laundering FATF standards on the VASP sector. This will ensure that VASPs are complying with the necessary AML/CFT obligations required to capture critical financial information and report suspicious transactions.
  2. Detection and reporting
    • jurisdictions are encouraged to have communication channels with institutions that are not subjected to the AML/CTF obligations, such as incident response companies, as they are often informed first about the attacks by their client. This will ensure that ransomware attacks are reported and detected timeously;
    • jurisdictions should support regulated entities such, as banks and other financial institutions, to detect and report suspicious transactions as they may not have insight of a ransomware payment or related money laundering since it involves virtual assets. The support needed may include sharing trends, detection guides, and red flag indicators; and
    • jurisdictions should encourage victims to report ransomware attacks to relevant authorities promptly. Raising awareness of available support and safe reporting channels can facilitate this. Quick reporting is crucial to trace the financial flow and facilitate a successful investigation, as transactions move quickly. It can also aid in the speedy recovery of the paid ransom. Jurisdictions can be informed about ransomware attacks through information shared by other jurisdictions. “International co-operation, mutual legal assistance and informal information exchange with foreign jurisdictions may provide information on funds layered through domestic exchanges linked to foreign attacks/victims"
  3. Financial Investigations
    • competent authorities should use both traditional law enforcement techniques (such as surveillance, interception of communication, and undercover operations) and virtual asset-specific methods when investigating ransomware-related money laundering. Since most virtual assets operate on a public blockchain, combining blockchain analysis with traditional methods may help identify criminals and trace the movement of illicit proceeds; and As soon as competent authorities are informed about the ransomware attack and the ransom payment, they must be given the legislative powers to act swiftly in tracing the ransom payment and to seize and confiscate assets within a matter of hours in order to prevent dissipation of the ransom that was paid.
  4. Skills and expertise
    • in addition to traditional law enforcement skills, competent authorities should have the specialised skills and expertise, both legal and technological, necessary for a successful financial investigation relating to ransomware;
    • this includes development, access and training relating to blockchain analytics and monitoring tools which will assist them to access and to interpret information; and
    • specialised mechanisms should be implemented in order to manage seized virtual assets properly.
  5. National Policies and co-ordination
    • national risk assessments should include identifying and assessing the money laundering risks posed by ransomware. This may support national cyber strategies by achieving a holistic national overview of ransomware risk;
    • jurisdictions where money laundering is not currently a domestic threat must also adopt this because those jurisdictions may still be exposed to the illicit movements of ransomware proceeds due to the decentralised nature of virtual assets;
    • “Jurisdictions should develop co-ordination mechanisms across relevant competent authorities, ranging from law enforcement, AML/CFT and cyber-crime authorities, to non-traditional partners such as cyber-security or data protection agencies”. This facilitates information and intelligence sharing and provides a useful platform for cross-sharing of various technical expertise; and
    • there must be an implementation of mechanisms that support public-private co-operation. VASPs and other non-traditional partners should be included in such co-operation mechanisms.

6.International co-operation

  • “Jurisdictions should establish and actively participate in bilateral, regional, and multilateral mechanisms, such as using liaison offices and establishing clear 24/7 contact points, to facilitate rapid international co-operation and information exchange”.

The FATF report contains crucial information about the financial flow of ransomware payments and associated money laundering. These illicit transactions move quickly across multiple jurisdictions, making them challenging to investigate. By sharing good practices, the FATF aims to help jurisdictions respond promptly to ransomware attacks, increasing the success rate of investigations. The report highlights the need for a coordinated approach to counter ransomware payments and related money laundering effectively.

Aslam Moosajee

Executive Dispute Resolution

[email protected]

Olonathando Nxumalo

Candidate Legal Practitioner Dispute Resolution

[email protected]


Link to article


WSG Member: Please login to add your comment.