BUSINESS LAW &TAX
APRIL 2023 WWW.BUSINESSLIVE.CO.ZA
A REVIEW OF DEVELOPMENTS IN CORPORATE AND TAX LAW
Ransomware steps up game Techniques of cyber criminals •improve efficiency, profitability Aslam Moosajee & Olonathando Nxumalo ENSafrica
C
yber criminals have developed new ransomware techniques to improve the efficiency and profitability of their attacks. These include targeting large and high-value entities such as governments and the health care sector (also known as “big game hunting”), and the selling of userfriendly ransomware software kits (also known as ransomware as a service). This has led to a significant increase in ransomware payments globally, although these attacks still remain underreported in some jurisdictions. Ransomware is a type of malicious software (malware) that is used by criminals to deny users access to data, systems or networks while demanding to be paid a ransom in exchange. In addition to the threats relating to the disrupted systems, criminals often threaten to publish the victim’s data if the ransom is not paid (double extortion). These attacks are often conducted by various criminals across different jurisdic-
tions, which makes it difficult to trace the flow of money. Furthermore, cyber criminals demand to be paid almost exclusively in virtual assets, which are a “digital representation of value that can be digitally traded or transferred, and can be used for payment or investment purpose” such as bitcoin. The payments are made through the use of Virtual Asset Service Providers (VASPs). The cross-border nature of virtual assets allows criminals to make large-scale cross-border transactions, nearly instantaneously, without involving institutions with anti-money laundering/ countering the financing of terrorism (AML/CFT) obligations. They also use VASPs within jurisdictions with weak or nonexistent AML/ CFT controls, which allows them to cash out their illicit proceeds in fiat currency. The Financial Action Task Force (FATF) conducted a study that was co-led by experts from Israel and the US. The study was aimed at improving the global understanding of ransomware payments as well as good practices to counter these payments and related money laundering. The FATF report details methods to identify
SOUNDING AN ALARM
/123RF — SOLARSEVEN and report ransomware payments, how these proceeds are laundered and efficient ways to prevent, detect and investigate financial flows related to ransomware. Typical financial flow of ransomware payments: ● Ransomware criminals, using anonymous enhancing techniques, disrupt or disable the systems of institutions and/or businesses, until the payment of the ransom by means of virtual assets; ● The victim or a third party acting on the victim’s behalf, such as an insurance company, purchases virtual assets from a VASP; ● A payment of the specified type and amount of virtual
assets is then made to the criminals; ● Criminals use different techniques to conceal any links between the payment and the crime; ● They further use VASPs located in jurisdictions outside where they are based, to convert the laundered virtual assets into fiat currency; and ● Criminals then deposit, invest or spend their ransomware proceeds.
GOOD PRACTICES FOR THE INVESTIGATION, PROSECUTION AND RECOVERY OF RANSOM PROCEEDS A multidisciplinary approach is required to counter the
ransomware payment and related money laundering. This approach includes: A legal framework ● Jurisdictions should criminalise ransomware as an offence. For example it can be criminalised as a type of extortion; and ● Jurisdictions should accelerate compliance with relevant money laundering FATF standards on the VASP sector. This will ensure that VASPs are complying with the necessary AML/CFT obligations required to capture critical financial information and report suspicious transactions. Detection and reporting ● Jurisdictions are encour-
aged to have communication channels with institutions that are not subjected to the AML/CTF obligations, such as incident response companies, as they are often informed first about the attacks by their client. This will ensure that ransomware attacks are reported and detected timeously; ● Jurisdictions should support regulated entities, such as banks and other financial institutions, to detect and report suspicious transactions as they may not have insight of a ransomware payment or related money laundering since it involves virtual assets. The support needed may include sharing trends, detection guides, and red flag indicators; and ● Jurisdictions should also encourage victims to report ransomware attacks to relevant authorities promptly. Raising awareness of available support and safe reporting channels can facilitate this. Quick reporting is crucial to trace the financial flow and facilitate a successful investigation, as transactions move quickly. It can also aid in the speedy recovery of the paid ransom. Jurisdictions can be informed about ransomware attacks through information shared by other jurisdictions. International co-operation, mutual legal assistance and informal CONTINUED ON PAGE 2