No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

The Connection Between Blockchain Analytics & Ransomware Payments

Due diligence needed to mitigate sanctions risk

by Meredith Fitzpatrick and Peter Bott
August 28, 2023
in Cybersecurity
illustration of binary code

While government officials advise against making ransomware payments, victims still often will acquiesce. But in doing so, they risk more than emboldening cyber criminals — they could inadvertently engage in sanctions violations. Forensic Risk Alliance’s Meredith Fitzpatrick and Peter Bott share blockchain-inspired mitigation methods.

Ransomware is a constantly evolving and pervasive threat to individuals, organizations and institutions across the world. Chainalysis estimates ransomware actors extorted at least $456.8 million globally in 2022, and are on pace for their second biggest year ever, having extorted at least $449.1 million through June.

Ransomware actors have grown more sophisticated in their pre-attack reconnaissance and targeting efforts and strategically select victims who rely on the availability of their systems to operate and are thus more likely to pay, such as critical infrastructure, or victims with immature cybersecurity postures. If careful due diligence is not practiced with these payments, victims or any other entity involved in facilitating the payment can be exposed to additional regulatory risks, should the ransomware actors be designated in a sanctions regime.

In the past two years the U.S. Office of Foreign Assets Control (OFAC) and UK Office of Financial Sanctions Implementation (OFSI) have issued specific guidance regarding sanctions risks in ransomware payments, including imposing civil penalties for sanctions violations.

Given the rise of ransomware payments and the continued prolificity of Russian and North Korean state-sponsored cyber crime, regulators likely won’t soften their stance on ransomware payments anytime soon. Any entity considering making a ransomware payment would benefit from enhancing their sanctions compliance programs with basic blockchain analytic techniques.

Current guidance

The official position of OFAC, OFSI and most other government agencies is to not pay ransomware actors to dissuade future attacks. If a victim opts for payment, both OFAC and OFSI endorse implementing strong, traditional risk-based compliance programs for entities affected by ransomware attacks to mitigate violating sanctions programs. This includes any party involved in the attack or payment facilitation process — the victims, financial institutions, cyber insurance institutions and digital forensic or incident response firms.

Both OFAC and OFSI may impose civil penalties for sanctions violations based on strict liability, making an individual or organization culpable even if they did not know or have reason to know they were engaging in a prohibited transaction. Penalties range in severity and can include monetary fines and both public and non-public enforcement responses. To reduce this liability, affected parties in a ransomware attack are directed to voluntarily self-report both when attacks occur and when payments occur.

data minimization practices_w
Cybersecurity

Ransomware Threats Are Growing. How Can Boards Protect Mission-Critical Assets?

by Jim DeLoach
December 14, 2022

As the sophistication level of cyber attackers continues to rise, there’s probably not a business on Earth that isn’t at risk. While the day-to-day management of the cyber threat falls to others, as Protiviti’s Jim DeLoach explores, company boards need to have a strong hand here.

Read moreDetails

Blockchain analytics as a screening tool

While OFAC and OFSI offer this guidance to reiterate the importance of strong compliance programs and underscore the severity of violating sanctions when making payment to ransomware actors, they do not provide any specific guidance regarding the use of blockchain analytics as a means to screen for connections to sanctioned entities.

Blockchain technology is, in essence, a transparent, publicly distributed ledger that enables any user with the applicable knowledge to examine current and historical data regarding a particular address, transaction or currency. Leveraging this increased transparency can permit individuals or entities to further examine a ransomware actor’s past payment information to identify potential connections to sanctions programs.

If you are a victim of ransomware and want to ensure that you’re not paying a sanctioned entity, it can be hard to know where to start. Often the only concrete identifier that a victim has to go off is the cryptocurrency wallet address provided by the ransomware actor to receive their payment. There are four ways a victim can investigate if they’re paying a sanctioned entity:

  1. Traditional screening against lists
  2. Basic heuristic screening
  3. Advanced analysis of risk exposure
  4.  Jurisdictional risk screening

Traditional screening

It used to be commonplace for the ransomware actors to provide the bitcoin address in the ransom note left on the victim’s computer. However, as it has become more well-known that law enforcement conducts blockchain analysis when investigating ransomware actors, it has become more common for ransomware actors to provide an email address to contact, only providing a bitcoin wallet address once the victim has agreed to pay. Once the bitcoin wallet address is furnished by the ransomware actors, it can be compared against OFAC’s specially designated nationals and blocked persons list or OFSI’s consolidated list.

However, it is trivial for a ransomware actor to generate a new bitcoin wallet address within seconds, and ransomware actors commonly generate a new wallet address per victim. Therefore, it is not enough to simply check the provided bitcoin wallet address against the above lists.

Heuristic screening

There is baseline heuristic screening one can do by using an open source blockchain explorer such as Blockchain.com. Bitcoin is an unspent transaction output-based blockchain (UTXO), meaning that coins are stored or aggregated as a list of unspent transactions received by users on the blockchain. One can therefore trace a specific UTXO forward and reverse transaction history.

Like cash, UTXOs are not divisible. For example, if you have a $20 bill and you purchase a $3 item, you don’t cut part of your $20 bill and hand that to the cashier. You’ll pay with your $20 bill and you’ll likely receive one ten-dollar bill, one five-dollar bill and two one-dollar bills back as change. Later in the day you take your change and purchase an $11 item. You’ll likely use your ten-dollar bill and a one-dollar bill to make the purchase. This is similar to how bitcoin works on the blockchain. Whole notes must be exchanged for an item, and change is returned back to the sending party.

In bitcoin transactions, seeing multiple input addresses in a transaction typically indicates that all the sending addresses are controlled by a single individual or entity, much like the above example where the bills were used to purchase an item.

Similarly, analysis of transaction behaviors on UTXO blockchain can be used to detect “change addresses.” Again, like cash, UTXOs are not divisible. If an individual sending bitcoin is making a transaction less than the UTXO amount, such as if they need to send 3.5 BTC but have 5 BTC in their wallet, a change address will be generated to send the change, the 1.5 BTC, back to the sender. Looking at the transaction on the blockchain, it will appear that the sending address (containing the 5 BTC) sent 3.5 BTC address to one wallet address and 1.5 BTC to another wallet address, when in reality, the wallet addresses containing the 5 BTC and 1.5 BTC are controlled by the same entity. Identifying these change addresses can be done by looking at address type, input amount and output amount.

Armed with this knowledge, there is basic blockchain analysis you can undertake to “cluster” additional addresses to a specific address controlled by an individual or entity.  

Advanced analysis of risk exposure

There’s also advanced blockchain tracing and proprietary heuristics you can leverage to conduct advanced analysis of risk exposure, to include indirect sending and receiving exposure of an address. Let’s build off the concept of clustering. This process can also be used to cluster addresses known to be associated with entities such as virtual asset service providers (VASPs), peer-to-peer exchanges, cryptocurrency ATMs, ransomware variants, sanctioned entities, terrorist organizations and cryptocurrency mixers with additional wallet addresses.

Advanced blockchain analysis tools can also be used to analyze indirect sending and receiving exposure of a wallet address or cluster of addresses. As it is trivial to create a new bitcoin wallet address, it is important to consider the indirect sending or receiving exposure when assessing the risk profile of a wallet address.

In the context of ransomware, it would be important to assess if a wallet address provided by a ransomware actor has exposure to wallets on the SDN list via one or several intermediary wallets. Addresses directly or indirectly sending or receiving funds with sanctioned addresses increases the risk of enforcement should payments be made, as it is increasingly likely that the address is involved in the larger network used by the sanctioned entity. Additionally, should an address provided by a ransomware actor be clustered with another address appearing on a sanctions list, the address provided would also be subject to sanctions enforcement should payment occur.

Jurisdictional risk screening

“Off-chain” checks can also provide clues as to whether a bitcoin wallet address or ransomware variant is a sanctioned entity or has ties to a sanctioned entity. Research on additional data points, such as any IP addresses associated with the actor, open-source intelligence, public-facing reports by the government, or victim reporting sites like Chainabuse, would also bolster a risk assessment of any potential ransomware payment.

That being said, ransomware variants are increasingly using “false flag” operations to appear to originate from another area of the world. A false-flag operation is when cybercrime actors go to great lengths to impersonate a different or novel group, leveraging a host of different techniques to obfuscate the actual entity behind the attack. These techniques can be technical in nature, such as utilizing different IP addresses, ransomware variants or specific penetration procedures. They can also be more socially driven, such as using different group titles, languages or content of communications themselves to denote different regions of operation. Of note, Russian state-sponsored groups have an established record of using false-flag operations to obfuscate their origins.

Should a sanctioned entity engage in a false-flag operation, it may be more difficult to assess at the attack level. However, blockchain analytics provides an additional avenue to vet an attack, should the false-flag attack use the same cryptocurrency infrastructure as the sanctioned entity behind the attacks.

OFAC and OFSI are actively using their authorities in the cryptocurrency space. In the past two years, OFAC has sanctioned a number of cryptocurrency wallet addresses associated with nation-state actors and other parts of the illicit cryptocurrency ecosystem including ransomware actors, darknet markets and cryptocurrency mixers. 

Blockchain analysis can play an active role in preventing payments to sanctioned entities and reducing the monetary resources of the most severe illicit actors. Given the currency cybercrime and geopolitical landscape, ransomware incidents will likely continue to grow in quantity and complexity. However, with the right combination of cryptocurrency expertise and blockchain analysis capabilities, compliance teams should feel empowered to operate in this evolving environment.


Tags: BlockchainCyber RiskCybercrimeRansomwareSanctions
Previous Post

Carbon Credit Fraud — and How Blockchain Can Be Part of the Solution

Next Post

Comms Surveillance: Everyone Plays a Role in Picking a Vendor

Meredith Fitzpatrick and Peter Bott

Meredith Fitzpatrick and Peter Bott

Meredith Fitzpatrick is a director for cryptocurrency investigations and compliance based in Forensic Risk Alliance's Washington, D.C. office. Before joining FRA, she was a special agent at the FBI for seven years. Fitzpatrick is a subject matter expert in the investigation of cryptocurrency enabled money laundering and computer intrusion incidents, including Russian state-sponsored computer intrusions, non-compliant cryptocurrency exchanges, theft of personally identifiable information and intellectual property, ransomware, dark-web marketplaces and business email compromise schemes.
Peter Bott is a senior associate for cryptocurrency investigations and compliance at Forensic Risk Alliance. He is a former FBI professional and a subject matter expert in the intersection of cryptocurrency and counterterrorism, state-sponsored operations, scams, weapons trafficking, fraud and augmenting sophisticated blockchain analysis techniques with open-source intelligence.

Related Posts

news roundup green bars

In-House Counsel Salary Increases Slow

by Staff and Wire Reports
May 2, 2025

Majority of execs predict rise in fincrime in ’25

data abstract green purple

66% of CISOs Worry Cyber Threats Are More Advanced Than Companies’ Defenses

by Staff and Wire Reports
April 25, 2025

US business sector falling behind in adoption of renewable energy

robot hand pointing to sky

Agentic AI Can Be Force Multiplier — for Criminals, Too

by Steve Durbin
April 21, 2025

How polymorphic malware and synthetic identities are creating unprecedented attack vectors

data abstract pixelated

GenAI Adoption Surging in Professional Services

by Staff and Wire Reports
April 18, 2025

Fewer than 1 in 3 organizations consistently meet cyber compliance standards

Next Post
theater curtain

Comms Surveillance: Everyone Plays a Role in Picking a Vendor

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights