The U.S. Department of the Treasury took new action in the fight against ransomware Tuesday, slapping sanctions on a cryptocurrency exchange accused of facilitating ransom payments to cybercriminals.
The most notable measure announced Tuesday was the Office of Foreign Assets Control's (OFAC) sanction against Russia-based cryptocurrency broker Suex. The sanctions designate that U.S. companies and citizens are generally prohibited from engaging with designated entities, either "directly or indirectly," according to updated advisory on ransomware payments from the Treasury Department.
The OFAC sanctions are the first against a first virtual currency exchange. Suex has been active since February 2018 and, according to the Treasury Department, assisted cybercriminals in hiding illicit proceeds from ransom payments, as well as other cybercrimes. Cybercriminals continue to use cryptocurrency for the anonymity it provides, particularly in ransomware attacks, while exchanges or "mixers" allow threat actors to launder their illicit funds and conceal them from law enforcement.
The Treasury Department referred to virtual currency exchanges as "critical elements" of the ransomware ecosystem, which the U.S. government has been earnestly fighting against. However, combatting ransomware has proven difficult. A Treasury Department statement declared ransomware payments reached more than $400 million in 2020.
While payments continue to be made, the government has strongly discouraged citizens and enterprises from giving in to extortion demands; the stance was emphasized again in Tuesday's announcement. Aside from the substantial monetary impact, ransomware attacks have also taken down critical infrastructures like hospitals and the U.S. colonial gas pipeline.
"Virtual currency exchanges such as Suex are critical to the profitability of ransomware attacks, which help fund additional cybercriminal activity," the press release stated.
Forty percent of Suex transaction history is associated with threat actors, according to the Treasury Department.
Blockchain analysis vendor Chainalysis, which aided in the investigation against Suex, provided a transaction breakdown in a blog post. In total, Chainalysis said Suex has received more than $481 billion in Bitcoin since its start.
Nearly $13 million of the transactions went to ransomware operators including Ryuk, Conti, Maze and several others. The Treasury Department said there were at least eight ransomware variants overall.
While ransomware operators were involved in many of the transactions, the highest funds surprisingly came from cryptocurrency scams. Cryptocurrency scam operators received more than $24 million, including "the fraudsters behind Finiko, a scam that took in over $1 billion worth of cryptocurrency from victims primarily in Russia and Ukraine." Lastly, more than $20 million came from the dark web marketplaces.
In its blog, Chainalysis emphasized the significant impact that would result from taking down the exchange.
"Suex is one of the biggest and most active of those services. Shutting them down would represent a significant blow to many of the biggest cyber threat actors operating today, including leading ransomware attackers, scammers and darknet market operators," the blog post said.
Clark Flynt-Barr, senior policy advisor at Chainalysis, told SearchSecurity that any U.S. organizations or individuals who do business on Suex could find themselves in legal trouble. "If someone is facilitating a ransomware payment on behalf of a victim and makes a payment to a sanctioned entity like Suex, that person may be in violation of sanctions and this could result in civil penalties or other enforcement actions from OFAC," he said.
Flynt-Barr also said the OFAC rules for ransomware could land victims in hot water even if they aren't directly making ransom payments to sanctioned entities like Suex and instead use intermediaries. "This means that companies that facilitate ransomware payments to sanctioned malicious cyber actors on behalf of U.S. persons or businesses may result in sanctions violations for those U.S. persons or businesses," he said. "In addition, U.S. businesses such as cyber security companies may not facilitate ransomware payments to entities or individuals subject to U.S. sanctions on behalf of non-U.S. persons."
Cryptocurrency under fire
Purandar Das, co-founder and chief security evangelist of data protection vendor Sotero, said cryptocurrency is a major factor in this types of cyber attacks. Having no concerns about the payments being tracked or the ability to cash the ransom, he said, is a big enabler of the attacks.
"The ability to collect ransom anonymously and eliminate the ability to trace the payment routes is driving the activity," Das said in an email to SearchSecurity.
Das also said the Treasury Department's steps are indicative of the enormity of the problem as well as the use of digital currency to facilitate crime. While digital currency has its advantages, he said the predicted downsides are being realized, such as the ability for criminals to anonymously collect huge windfalls that would have been impossible a few years ago.
Mark Testoni, CEO of SAP National Security Services, said cryptocurrency makes it easier to transact and conclude the end of the process so by pressuring that chain, it will have an impact. For one, it may make it harder for exchanges to pop up and operate.
"Cutting it off at the source is probably the most important thing we do," Testoni said.
Mark TestoniCEO, SAP National Security Services
Additionally, the new actions toward ransom payments, he said, is another tool by the U.S. government.
"Most of these events go unreported and companies, organizations find it easier to just pay the ransom," he said. "The most important thing we can do is educate our companies and the individual because each of us, as an employee, as an individual in our homes has a tremendous impact on cyber security."
Sanctions and law enforcement actions that focus on ransomware payments can present downsides, as well. Testoni said it has the potential to push companies to be even more discreet about disclosure.
Another challenge Das addressed is how such sanctions could prevent victim organizations from being able to recover their systems and data. "Assuming that the ransomware attacks will completely stop by penalizing companies that pay the ransom may lead to consequences that could be severe and impact consumers adversely," he said.