Yesterday, the Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions on SUEX OTC, S.R.O, a cryptocurrency exchange, for its role in laundering money to ransomware attackers. According to OFAC, SUEX facilitated criminal transactions involving at least eight ransomware variants and 40% of SUEX’s known transaction history involved bad actors. The designation of SUEX is the first time OFAC has sanctioned a virtual currency platform – and this approach may prove to be a useful regulatory tool to make malicious cyberactivity less profitable and therefore deter cyber-criminals. Treasury Secretary Janet Yellen said the government is “committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attack[s].”

In addition to designating SUEX, OFAC updated its guidance on the risks companies face for playing a part in ransomware payments (see here). We are providing a redline of the guidance against OFAC’s previous guidance from 2020 for your reference.

Ransomware Attacks: Business and National Security Threat

Ransomware attacks have been on the rise – both by individual criminal and state actors. According to the Treasury Department, ransomware payments totaled more than $400 million in 2020, more than four times that of 2019. As a refresher, ransomware attacks are the type of cyberattack that shut down an entity’s network and systems and demand payment – oftentimes in cryptocurrency – in exchange for restoring access. The government sees malicious cyber activities both as criminal and as a threat to national security. We saw how the SolarWinds hack, which we discussed here, and the Colonial Pipeline attack significantly impacted government agencies, private companies, and the public at large. Payments to ransomware attackers incentivize malicious activities and fund more criminal ransomware attacks.

The designation of SUEX coupled with the guidance OFAC issued highlights the risks faced by entities that facilitate ransomware payments and companies that may be considering making such payments. If you’re subject to U.S. sanctions, that severely restricts your ability to do business in or with the United States. Currently, there are third party consultants that negotiate with cyber-attackers and facilitate the payment of ransoms. This action against SUEX emphasizes that making or facilitating those payments could subject you to severe penalties.

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” said the Treasury Department.

What Should You Do?

For now, OFAC’s action does not directly impact broader cryptocurrency exchanges, but SUEX’s designation should serve as a warning to other virtual currency platforms and encourage them to take a look at their practices to ensure they aren’t facilitating payments to bad actors. Compliance with sanctions and anti-money laundering rules and regulations is a challenge in the virtual currency world. Transactions are decentralized, and KYC / due diligence of users is not easy. But especially when it comes to ransomware attacks, the FBI and OFAC are working together to ramp up enforcement. Virtual currency exchanges should heed OFAC’s guidance to implement best practices to protect against OFAC and AML violations.

In particular, the updated OFAC guidance highlights the importance for companies to implement cybersecurity practices to reduce the risk of extortion by a sanctioned person. Some practices could include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others. If a company is the subject of an attack and pays the ransom involving a sanctioned party, while it could be subject to penalties, OFAC will consider the company’s protective steps, as well as the reporting of the attack to law enforcement, as mitigating factors when it assesses penalties (i.e., No action Letter/Cautionary Letter vs. steep civil penalties).