US Treasury Sanctions Crypto Exchange For Aiding Ransomware Payments

September 28, 2021 - The US Department of the Treasury announced its first ever sanction against a cryptocurrency exchange SUEX for its alleged role in facilitating ransomware payments for cybercriminals.

The Treasury’s Office of Foreign Assets Control (OFAC) also issued an updated advisory warning companies of potential sanctions risks associated with ransomware payments. OFAC warned that facilitating payments on behalf of a victim may violate the office’s regulations.

Virtual currency exchanges, or cryptocurrency, have become an asset to bad actors in laundering ransomware payments since the transactions are extremely difficult to trace. As ransomware becomes a growing concern among the healthcare, finance, and energy sectors, the US government is enforcing regulations and implementing strategies to combat cybercriminals.

The Treasury, along with the FBI, determined that SUEX had facilitated transactions involving at least eight ransomware variants. Analysis revealed that over 40 percent of SUEX’s transaction history is associated with illicit actors.

The action marks the Treasury’s first sanctions designation against a virtual currency exchange.

“While most virtual currency activity is licit, virtual currencies can be used for illicit activity through peer-to-peer exchangers, mixers, and exchanges,” the press release continued.

“This includes the facilitation of sanctions evasion, ransomware schemes, and other cybercrimes. Some virtual currency exchanges are exploited by malicious actors, but others, as is the case with SUEX, facilitate illicit activities for their own illicit gains.”

As a result of the sanctions designation, US companies and individuals are prohibited from engaging in transactions with SUEX. Any entity that does engage in transactions with SUEX may face enforcement actions.

OFAC’s updated advisory highlighted the risks associated with engaging in ransomware payments and gave tips on how organizations can mitigate risk.

“Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business,” OFAC’s statement explained.

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

Under its cyber-related sanctions program, OFAC has designated numerous malicious cybercriminals. Cryptolocker, SamSam ransomware, WannaCry 2.0, and Evil Corp were all designated as targets of US sanctions for their roles in ransomware attacks. SUEX is the latest to be added to the list of sanctioned organizations.

OFAC warned that any US citizen who engages directly or indirectly in a ransomware transaction may face significant consequences.

“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC,” the advisory warned.

OFAC recommended that organizations implement a risk-based compliance program to avoid interaction with cybercriminals. The office also reminded organizations of their duty to report ransomware attacks to relevant federal agencies.

“Ransomware and cyber-attacks are victimizing businesses large and small across America and are a direct threat to our economy. We will continue to crack down on malicious actors,” Janet L. Yellen, Treasury secretary, stated.

“As cyber criminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks.”