In the Biden Administration’s latest effort to respond to the growing threat of ransomware attacks, on September 21, 2021, the U.S. Department of the Treasury (“Treasury”) announced new sanctions and ransomware guidance in an attempt to curb the disruptive increase in ransomware attacks. The actions are the latest signal from the Administration that the U.S. government views such attacks as a national security threat and that it will continue to undertake a “whole-of-government effort” against that threat.
Specifically, Treasury’s Office of Foreign Assets Control (“OFAC”) released an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (“Updated Advisory”) that:
Concurrently, OFAC designated SUEX OTC, S.R.O. (“SUEX”), a virtual currency exchange popular among ransomware groups and other criminal organizations, as a Specially Designated National (“SDN”). OFAC’s designation of SUEX was the first sanctions designation against a virtual currency exchange. Treasury’s sanctions and guidance underscore that OFAC is focused on disrupting criminals’ ability to profit from ransomware attacks, not on going after victims who act responsibly by notifying law enforcement and taking preventative steps to shore up their security.
These actions reinforce that it is critical for companies to think through how to implement best practices from a cybersecurity perspective, as well as how to engage with law enforcement and OFAC when falling victim to a ransomware attack and considering whether to pay. Treasury emphasized the need for “partnership between the public and private sector and close relationships with international partners” to counter the threat from ransomware and cyberattacks.
Of significant interest to industry, Treasury published an update to its October 2020 advisory, which we discussed in a previous alert, addressing potential sanctions risks associated with ransomware payments related to malicious cyber-enabled activities. The Updated Advisory is notable in several respects.
OFAC zeroed in on SUEX as the first virtual currency exchange to be subject to U.S. sanctions due to its close association with various ransomware variants. According to Treasury, the exchange was involved in facilitating transactions for at least eight ransomware variants. U.S. government analysis of SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors, predominantly related to ransomware. OFAC designated SUEX as an SDN pursuant to Executive Order 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” for providing material support to criminal ransomware actors.
As a result of SUEX’s designation as an SDN, all property and interests in property of SUEX that are subject to U.S. jurisdiction are now blocked, and U.S. persons are generally prohibited from engaging in transactions with SUEX. Additionally, any entities 50% or more owned by SUEX are also blocked. Of likely greater significance in the battle to stem ransomware attacks is the fact that financial institutions and other persons that engage in certain transactions or activities with SUEX potentially expose themselves to primary and/or secondary sanctions or could be subject to an enforcement action.
The sanctions against SUEX will be a bellwether for whether U.S. sanctions are effective against cryptocurrency exchanges. To conduct its transactions, SUEX has relied on the infrastructure of established cryptocurrency exchanges, which are now prohibited from dealing with it. We expect to see an enhanced sanctions focus on unregulated exchanges that facilitate the conversion of illicit cryptocurrency profits into real-world currency, which in turn will place greater pressure on established cryptocurrency exchanges to avoid less reputable exchanges. If OFAC is successful in disrupting SUEX’s and similar exchanges’ operations, it will force criminals to platforms that are easier for law enforcement to track. That, in turn, could result in the ability of law enforcement to identify and charge ransomware groups, and seize ransomware payments, as was the case when U.S. law enforcement officials recovered $2.3 million in bitcoin paid in the Colonial Pipeline ransomware incident earlier this year.
While Treasury’s actions express a strong U.S. government stance against ransomware payments, when analyzed closely, the sanctions and guidance reiterate that OFAC is focused on disrupting criminals’ ability to profit from ransomware attacks, not on penalizing good-faith victims who act responsibly by notifying law enforcement and taking preventative steps to shore up their security. Companies now have a helpful roadmap for steps to take to avoid a sanctions enforcement action when dealing with ransomware incidents:
Additionally, cryptocurrency exchanges need to conduct heightened due diligence in anticipation of new rounds of sanctions. With this roadmap in hand, companies should be able to navigate the sanctions-related challenges presented by any ransomware attack.