Treasury ransomware response: More sanctions, updated FinCEN guidance

The Office of Foreign Assets Control (OFAC) added Chatex, a virtual currency exchange, to its list of specially designated nationals (SDNs). The Treasury said of Chatex’s known transactions, “over half are directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware.”

OFAC also added three Chatex affiliates to its SDN list: IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd. All three are alleged to have provided support and material assistance to Chatex.

Chatex is affiliated with SUEX OTC, another virtual currency exchange OFAC designated in September.

The agency further added two alleged ransomware operators, Ukrainian Yaroslav Vasinskyi and Russian Yevgeniy Polyanin, to its SDN list, “for their part in perpetuating Sodinokibi/REvil ransomware incidents against the United States.” The two were charged by the U.S. Department of Justice on Monday with conducting ransomware attacks against multiple victims; Vasinskyi is alleged to have been behind this summer’s high-profile attack against software company Kaseya.

Such designations by OFAC increase the risk that paying ransomware will violate U.S. sanctions, as being named to the SDN list means the individual or company’s assets in the United States are blocked.

FinCEN also released updated information Monday about how financial institutions should respond to bad actors using their networks to handle ransomware payments.

In an advisory, FinCEN said all regulated entities should report ransomware financial activity through suspicious activity reports required as part of their Bank Secrecy Act obligations. Although the threshold for such reporting is for transactions of $5,000 or more, FinCEN said smaller amounts that appear to be ransomware payments should also be reported on a voluntary basis.

FinCEN provided financial institutions with a list of red flags that might indicate a ransomware payment is being arranged or has taken place. Examples included:

• IT enterprise activity connected to ransomware cyber indicators or known cyber threat actors.
• A customer conducting transactions with ransomware variants, payments, or related activities.
• An irregular transaction occurring between an organization at high risk for being a victim of ransomware—government, financial, educational, or healthcare—and either cyber insurance companies (CIC) or digital forensic and incident response (DFIR) companies.
• A CIC or DFIR receiving money from a counterparty and immediately sending the same amount to a convertible virtual currency (CVC) exchange.
• A customer with little or no knowledge or previous use of CVCs inquiring about sending a large transaction.
• A customer who received large payments and then sent smaller payments to multiple CVCs, potentially acting as a middleman for ransomware payments.
• A customer using an encrypted network or an unidentified web portal to communicate with the recipient of the CVC transaction.

“We will continue to bring to bear all of the authorities at Treasury’s disposal to disrupt, deter, and prevent future threats to the economy of the United States,” said Deputy Secretary of the Treasury Wally Adeyemo in a press release. “This is a top priority for the Biden administration.”