US cryptocurrency exchange sanctions over ransomware likely not the last

The sanctions against Suex, aimed to cut ransomware gangs off from their revenue, sends a signal to other exchanges that support criminal activity.

Ransomware  >  An encrypted system, held ransom with lock + chain, displays a dollar sign.
Tomas Knopp / Getty Images

Days after the Russia-linked BlackMatter ransomware gang hit an Iowa grain cooperative with a ransomware attack, the Biden administration unveiled its latest effort to address the ongoing ransomware crisis. In a move designed to cut off ransomware gangs from their financial rewards, the Treasury Department announced that its Office of Foreign Asset Control (OFAC) placed Czech Republic-registered but Russian national-owned and -operated cryptocurrency exchange Suex on its sanctioned entity list, formally called the Specially Designated Nationals and Blocked Persons (SDN) List. 

Suex facilitates “financial transactions for ransomware actors, involving illicit proceeds from at least eight ransomware variants,” according to the announcement. Treasury says that over 40% of Suex’s known transaction history is associated with illicit actors, representing $370 million in illicit trading. 

OFAC included on the SDN list a total of 25 bitcoin, ethereum, and tether addresses known to be controlled by Suex. These addresses received more than $934 million in various crypto assets overall. In addition, blockchain transactions tracking company Chainanalysis said that the Suex addresses have received more than $160 million in bitcoin alone from “ransomware actors, scammers, and dark net market operators” since the exchange was founded in 2018.

Company steps to mitigate risks are crucial

OFAC also issued an update to its Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. Sending a strong message to potential ransomware victims, OFAC highlighted “the proactive steps companies can take to mitigate such risks, including actions that OFAC would consider to be ‘mitigating factors’ in any related enforcement action.” These steps could include “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.”

Overall, the advisory “does not appear to be much of a separation from past practice,” Adam M. Smith, Partner at Gibson Dunn and former senior advisor to the director of OFAC, tells CSO.  The advisory’s basic thrust is that, “If you’re engaging in the online world, you need to be as concerned with who your counterparties are as if you were in the offline world,” he says. “If you are engaging with people who have been sanctioned, it is as big a problem online as it is offline.”

The critical mitigation step is working with the feds

Two new aspects of the updated OFAC advisory have implications for how ransomware victims might better protect themselves from paying penalties if forced to deal with sanctioned ransomware operators. First, the new advisory “strongly suggests that engagement with law enforcement and engaging with OFAC in and of itself is going to be a mitigation with respect to a potential penalty,” Smith says.

The updated advisory states that OFAC “strongly encourages all victims and those involved with addressing ransomware attacks to report the incident to CISA, their local FBI field office, the FBI Internet Crime Complaint Center, or their local US Secret Service office as soon as possible. Victims should also report ransomware attacks and payments to Treasury’s OCCIP and contact OFAC if there is any reason to suspect a potential sanctions nexus with regard to a ransomware payment.”

The advisory goes on to say, “In doing so victims can receive significant mitigation from OFAC when determining an appropriate enforcement response in the event a sanctions nexus is found in connection with a ransomware payment.” This new part of the advisory means that Treasury and OFAC want ransomware victims who might be dealing with a sanctioned operator to contact the federal government immediately. Doing so could lessen the chances that victims could face harsh penalties if they end up paying ransom to a sanctioned entity.

“What OFAC is saying is that there is potential enforcement [against victims that pay ransom to sanctioned entities],” Smith says. “However, if you engage OFAC and the Department of Justice, there would potentially be mitigation in the decision to enforce. There’s always been the potential for mitigation. Making it explicit is new in this regard. Most people in this space already recognize that in a real duress situation, the potential of mitigation was always there.”

OFAC frowns on licenses to pay sanctioned operators

However, the updated advisory also explicitly states that OFAC holds a dim view regarding licenses to pay sanctioned ransomware operators. (A license is an authorization from OFAC to engage in a transaction that otherwise would be prohibited.) “Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States,” the advisory says. “For this reason, license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will continue to be reviewed by OFAC on a case-by-case basis with a presumption of denial.”

“So, it wants you to engage with OFAC, but it’s not saying that a license or some other authorization will be forthcoming,” Smith says. “It doesn’t actually change the analysis for parties who are facing a horrific issue with ransomware.

Actions unlikely to reduce ransomware attacks anytime soon

Whether these actions by the Treasury Department will reduce ransomware attacks is an open question. “I think it’s definitely a good first step,” Allan Liska, intelligence analyst at Recorded Future, tells CSO.  “It’s very hard to sanction the actors directly, although they have done that before.”

As OFAC notes in its advisory, Russian cybercrime organization Evil Corp, which used Dridex malware to infect computers and steal login credentials from hundreds of banks and financial institutions worldwide, was placed on the SDN list in 2019. Evil Corp subsequently entered the ransomware business but has gone to great pains to rebrand itself and its ransomware to fool victims so that they don’t delay payments due to fear of sanctions-related penalties.

“So, going after the cryptocurrency exchanges is going after that next step as a way to slow down the transactions and go after their ability to move money,” Liska says. The Treasury Department is unlikely to stop with just this one exchange. “There are cryptocurrency exchanges that have a reputation for being friendly to money launderers. I think that as the Treasury Department gathers more evidence of that, they’re going to file more sanctions like this.”

Despite this progress, Treasury’s action is unlikely to provide immediate relief from the onslaught of ransomware attacks. “What unfortunately it doesn’t do in the short term is slow down ransomware attacks,” Liska says. “Ransomware attacks are going to continue, and they’re going to continue at a growing pace. It doesn’t hinder the ability of anybody to make payments because you don’t necessarily have to make a payment through an exchange.”

“If Treasury makes it more and more difficult for ransomware actors to get rid of the money, then that may have a long-term negative impact on the ability to carry out ransomware attacks,” Liska says. “But in the short term, I don’t think it’s going to make much of a difference.”

Congressman Jim Langevin (D-RI), a senior member of the House Committee on Homeland Security and a member of the Cyberspace Solarium Commission, praised the Treasury Department’s action. He also reinforced Treasury’s message that victims should contact the federal government and follow the recommended mitigation steps. “The guidance also reiterates that strict liability will hold individuals and businesses to account if they support a sanctioned entity by paying a ransom, regardless of their intent,” Langevin said in a statement. “However, Treasury lays out steps companies can take to mitigate an enforcement response. Businesses that fall victim to ransomware should proactively alert the government to minimize any penalties they may incur.”

Copyright © 2021 IDG Communications, Inc.

8 pitfalls that undermine security program success