Countering Ransomware Financing – FATF Report March 2023


The Financial Action Task Force (FATF) is an independent inter-governmental body that develops and promotes policies to protect the global financial system against money laundering, terrorist financing and the financing of proliferation of weapons of mass destruction. The FATF Recommendations are recognised as the global anti-money laundering (AML) and counter-terrorist financing (CFT) standard.
For more information about the FATF, please visit
This document and/or any map included herein are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area.

Executive Summary

The global scale of financial flows related to ransomware attacks has grown dramatically in recent years. Industry estimates report up to a fourfold increase in ransomware payments in 2020 and 2021, compared to 2019. New techniques have increased the profitability of attacks and the likelihood of success. These include the targeting of large, high-value entities as well as ransomware as a service, where ransomware criminals sell user-friendly software kits to affiliates. The consequences from ransomware attacks can be dire and pose national security threats, including damaging and disrupting critical infrastructure and services.
Through this study, the FATF aims to improve global understanding of the financial flows linked to ransomware and highlight good practices to address this threat. The report also provides a list of potential risk indicators that will help authorities and the private sector detect such financial flows. The findings of this report draw upon experience and expertise from across the public and private sectors, including inputs and case studies from more than 40 delegations across the FATF Global Network.

A ransomware attack is a form of extortion and the FATF Standards require that it be criminalised as a predicate offence for money laundering. This report finds that payments and subsequent laundering of ransomware proceeds are almost exclusively conducted through virtual assets. Ransomware criminals exploit the international nature of virtual assets to facilitate large-scale, nearly instantaneous cross-border transactions, sometimes without the involvement of traditional financial institutions that have anti-money laundering and counter terrorist financing (AML/CFT) programs. Criminals further complicate their transactions by using anonymity-enhancing technologies, techniques, and tokens in the laundering process, such as anonymity enhanced cryptocurrencies and mixers.

The near-exclusive use of virtual assets in ransomware-related laundering further reinforces the importance of accelerating the implementation of FATF Recommendation 15, which requires jurisdictions to put in place measures to mitigate risks linked to virtual assets and to regulate the virtual asset service provider (VASP) sector. These efforts are critical to prevent criminals from easily accessing VASPs located in jurisdictions with weak or non-existent AML/CFT controls to launder the profit from their crimes.
This report also finds that ransomware attacks are generally underreported, whether due to challenges in detection by the private sector, negative impacts to the victim’s business or a fear of retaliation from criminals if a victim reports an attack. This partly explains the lack of experience in investigating money laundering related to ransomware. Jurisdictions need to carry out further work to increase and enhance sources of detection and reporting. Authorities need to move quickly to collect key information and should have the necessary tools and skills to effectively trace and recover virtual assets.

Ransomware cuts across a wide range of areas and investigations may involve actors outside the traditional AML/CFT authorities, including cybersecurity and data protection agencies. As such, a multi-disciplinary approach is required to effectively tackle ransomware and associated money laundering. Due to the inherently decentralised and transnational nature of virtual assets, building and leveraging existing international co-operation mechanisms is imperative to successfully tackling ransomware-related laundering.


Focus and scope

  1. Ransomware is a type of malicious software (malware) that criminals develop and/or use to deny access to data, systems, or networks while demanding a ransom payment in exchange. Common attack methods include data encryption, data exfiltration, and disruption of victim operations. Attacks often involve more than one method and may include a threat to publish the victim’s data.3
  2. Ransomware incidents have grown significantly in recent years4, both in number and scale. Ransomware is primarily a profit-seeking endeavour, and the growth in attacks has led to a consequent increase in ransomware proceeds and related money laundering. Industry estimates indicate that ransomware payments increased at least fourfold in 2020 and 2021 as compared to 2019.5 While latest industry data suggest a downward trend in 2022 (potentially due to victims’ refusal to pay), the value of virtual assets received by ransomware attackers remains significantly higher than prior to 2019.6 The actual total number of attacks and related losses are likely to significantly higher as ransomware attacks often go unreported.
  3. Attacks have caused major disruption and damage for governments, public institutions, businesses, and citizens, in some cases impacting healthcare and threatening national security, including requiring the stoppage of critical infrastructure and services or compromising sensitive data.7 Ransomware criminals have developed techniques to increase the profitability of their attacks and likelihood of success. As a result, the threat of illicit financial flows related to ransomware will likely continue to grow.
  4. Criminals demand ransomware payments almost exclusively in virtual assets. Victims, or related third parties acting on a victim, often use virtual asset service providers (VASPs)8 to pay ransoms. Ransomware criminals also use VASPs to
  5. launder illicit funds and exchange proceeds for fiat currency, which can be more easily exchanged for goods and services and is a more stable store of value.
  6. In 2018, the FATF amended its Recommendations to cover virtual assets and VASPs. Since then, the FATF has issued various guidance to help jurisdictions and the private sector monitor and mitigate the risks in this sector, including red flag indicators of money laundering (ML) and terrorist-financing (TF).9 While this work has often touched on ransomware, this report is the first time the FATF has focused specifically on laundering trends and techniques linked to ransomware attacks.
  7. Under the Singaporean Presidency, the FATF is leveraging its experience on financial investigations involving virtual assets, to identify challenges and share good practices for countering ransomware financing and related ML. This report focuses on: how to identify and report ransomware-related payments; how to prevent, detect, and investigate ransomware financial flows; and how such proceeds are laundered. This report does not focus on the use of ransomware for terrorist financing given the lack of significant or notable use of ransomware for this purpose in the Information and case studies submitted for this report
  8. As a ransomware attack is a form of extortion, the FATF Recommendations require all jurisdictions to criminalise ML related to ransomware (R.3). The FATF also requires jurisdictions to identify, assess and take steps to mitigate their ML risks (R.1-2); ensure the private sector, including VASPs, applies adequate preventive measures, such as reporting suspicious transactions (R.9-23); ensure law enforcement investigates, traces, and confiscates criminal proceeds (R.4, 29-31); and co-operate internationally to pursue ML and predicate offences, and associated proceeds (R.36-40).
  9. While ransomware is one type of cybercrime, the information in this report is focused on ransomware and may or may not be applicable to other types of cybercrime, such as malware, phishing business email compromise or the compromise and sale of financial information.

Download & read the complete document below 👇👇👇


Leave a Reply

Your email address will not be published. Required fields are marked *