Treasury sanctions virtual currency exchange as part of ransomware response

The Treasury’s Office of Foreign Assets Control (OFAC) added SUEX OTC to its list of specially designated nationals (SDNs). An analysis found “over 40% of SUEX’s known transaction history is associated with illicit actors,” the Treasury stated. It is the first time OFAC has sanctioned a virtual currency exchange for facilitating ransomware payments.

“Some virtual currency exchanges are exploited by malicious actors, but others, as is the case with SUEX, facilitate illicit activities for their own illicit gains,” the Treasury stated.

As a result of the designation, SUEX’s assets and interests in the United States will be frozen, and U.S. citizens are generally blocked from doing business with it. Financial institutions that do business with SUEX now open themselves up to potential sanctions violations.

The move is part of a “whole-of-government effort to counter ransomware,” with the Treasury also noting coordination with the G7. It comes in response to high-profile cases at Colonial Pipeline, JBS USA, and other businesses this year where ransoms were paid to cyber-attackers in order to restore access to breached systems.

“Ransomware and cyber-attacks are victimizing businesses large and small across America and are a direct threat to our economy. We will continue to crack down on malicious actors,” said Treasury Secretary Janet Yellen in a press release. “As cyber criminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks.”

OFAC advisory update

As part of Tuesday’s announcement, OFAC issued an advisory on potential sanctions risks posed by facilitating ransomware payments.

“Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States,” the advisory said. “Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves.”

Even if you and your company don’t knowingly violate U.S. sanctions by paying a ransom, the advisory noted OFAC “may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.”

In most ransomware cases, the victim does not know exactly to whom they are paying the ransom. So, payment runs the risk of running afoul of U.S. sanctions.

There are several ways to mitigate the severity of a potential OFAC punishment stemming from paying a ransom, the agency said:

• Have an established risk-based compliance program that mitigates exposure to sanctions violations.
• Take meaningful steps to reduce the risk of extortion through ransomware by improving cyber-security practices.
• Cooperate with OFAC and law enforcement.
• Report the ransomware attack as soon as possible to the Cybersecurity and Infrastructure Security Agency and/or the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection.

All these measures will be considered as mitigating factors when OFAC is weighing punishment on an organization that paid a ransom to an entity that appears on its SDN list, the advisory said.