Five Key Considerations Regarding New U.S. Sanctions to Address Ransomware Threats

On September 21, 2021, the U.S. Department of the Treasury (Treasury) Office of Foreign Asset Control (OFAC) imposed sanctions on a virtual currency exchange called Suex OTC, S.R.O. (Suex), and published an updated advisory on potential risks for those who facilitate ransomware payments. These coordinated actions represent significant moves by OFAC to target key aspects of the global ransomware ecosystem and to advance the U.S. government’s broader counter-ransomware strategy. By recommending strengthened cybersecurity measures and emphasizing reporting to law enforcement, OFAC’s updated advisory also reflects increasingly tighter collaboration among federal government agencies in their fight against the ransomware threat.

Background

Ransomware attacks use malware, often injected through phishing schemes, to infect a victim’s computer system and to restrict the victim from accessing the system, stored data, or files by encrypting them. These attacks are typically followed by a ransom demand by the threat actor that offers the decryption key in exchange for payment. Threat actors usually demand payment in cryptocurrencies (like bitcoin); accordingly, victims often use third-party services to make such payments. Having received the ransom payment, threat actors may then use virtual currency exchanges — most of which are legitimate businesses that allow customers to trade cryptocurrencies for other assets (including other digital currencies and conventional fiat money) — in an effort to launder the stolen funds and obscure their digital tracks.

Confronted by numerous sophisticated and costly ransomware attacks, the Biden administration declared earlier this year that ransomware represents a national security threat. Recent attacks on the nation’s critical infrastructure, including attacks that temporarily shut down an important petroleum pipeline and disrupted a nationwide meatpacking company, underscored the growing nature of this threat. The global ransomware landscape has continued to evolve thanks to new partnerships among several notorious cybercriminal groups that reportedly share hacking techniques, breached information, and cutting-edge technology.

As a result of these significant developments, the Biden administration recently announced a counter-ransomware strategy that includes four lines of effort: (1) disruption of ransomware infrastructure, (2) international cooperation to hold countries that harbor ransom actors accountable, (3) expansion of cryptocurrency tracing analysis, and (4) review of the U.S. government’s policies and approaches to those who make ransomware payments.

OFAC’s September 21 actions signal that the Biden administration is taking steps to move along several of these lines of effort, specifically disruption of ransomware infrastructure, and clarification of the government’s approach to those who make ransomware payments. In addition, public reporting indicates that OFAC’s targeting of Suex, and its identification of the exchange’s close association with illicit activity, relied heavily on blockchain analysis — thereby reflecting the U.S. government’s commitment to increasing its awareness of the movement of digital currency across international borders.

The Suex Sanctions

OFAC designated Suex, a virtual currency exchange registered in the Czech Republic that is believed to operate in Russia, “for its part in facilitating financial transactions for ransomware actors, involving illicit proceeds from at least eight ransomware variants.” As Treasury observed in its press release, “Analysis of known Suex transactions shows that over 40% of Suex’s known transaction history is associated with illicit actors.” According to a prominent blockchain analysis firm whose tools aided in the U.S. government’s investigation of Suex, the exchange received “over $160 million from ransomware actors, scammers, and darknet market operators” in bitcoin alone and “tens of millions [of dollars] worth of cryptocurrency payments from addresses associated with several forms of cybercrime.” The same analytics firm concludes that “[a] small group of illicit services facilitate the majority of cryptocurrency-based money laundering, and Suex is one of the worst offenders.”

Suex was designated pursuant to the “cyber sanctions” authorized by Executive Order 13694, as amended (EO 13694), which permits the blocking of property of those who engage in significant malicious cyber-enabled activities. Since December 2016, OFAC has designated malicious cyber actors, including perpetrators of ransomware attacks. The agency took its first virtual-asset-related action pursuant to EO 13964 in November 2018, when it targeted two Iran-based individuals who helped exchange bitcoin ransom payments into fiat currency in connection with the notorious SamSam ransomware scheme and identified digital currency addresses associated with those two facilitators. OFAC’s subsequent use of the EO 13694 authority has resulted in sanctions against Chinese nationals who used cryptocurrency to advance drug trafficking; against Russian nationals who used cryptocurrency to fund activities in furtherance of ongoing malign influence operations around the world; and against Chinese nationals who are believed to have laundered over $100 million worth of cryptocurrency stolen from cryptocurrency exchanges by North Korean actors.¹ The Suex designation represents the first sanctions designation against a virtual currency exchange.

As a result of Suex’s designation, all of that entity’s property and interests in property subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with Suex or in activity for the benefit of Suex. In addition, any entities 50% or more owned by one or more designated persons are also blocked. Finally, parties, including non-U.S. persons, that engage in certain transactions or activities with Suex may expose themselves to sanctions or be subject to an enforcement action. Treasury’s press release does note, however, that OFAC’s designation of Suex “does not implicate a sanctions nexus to any particular Ransomware-as-a-Service or variant.”

Updated OFAC Ransomware Advisory

Also on September 21, OFAC published an updated advisory, its strongest to date, demonstrating an intent to sanction not only individual cybercriminals involved in ransomware attacks but also the platforms those criminals use to commit their malign acts. The updated advisory supersedes guidance issued in October 2020 that formally articulated OFAC’s view that making ransomware payments with a sanctions nexus threatens U.S. national security interests and that third-party service providers that facilitate ransomware payments on behalf of a victim must consider and ensure compliance with OFAC regulations.

OFAC’s updated advisory does not expand existing law or provide new authority for imposing sanctions. The updated advisory does, however, outline a range of enforcement responses and factors OFAC will consider in making enforcement decisions. While OFAC continues strongly to discourage ransomware extortion payments and has directed that companies should engage in particular steps to protect themselves from ransom demands, the act of paying a ransom, alone, will not expose a victim to an enforcement action unless a designated party, such as Suex or another specially designated national, is involved.

However, the identity of an attacker may be difficult to diagnose. Moreover, cyber-related sanctions, like most OFAC sanctions programs, impose strict liability. In addition, traditional sanctions controls, such as name screening, can be thwarted by the anonymous nature of cyberattackers and ransom demands. Therefore, in today’s environment of increasingly crippling cyberattacks, companies should ensure they have maintained and implemented a robust compliance and risk mitigation program designed to prevent and recover from malign cyberactivity, including ransomware attacks.

In particular, financial institutions and companies that may be subject to ransomware attacks, as well as companies operating in the virtual assets industry generally, may wish to consider the following key lessons:

1. OFAC Strongly Discourages the Payment of Ransom Demands. OFAC’s updated advisory states that “the U.S. government strongly discourages the payment of cyber ransom or extortion demands.” This messaging echoes the formal views of federal law enforcement, as the FBI also does not support paying a ransom in response to a ransomware attack.
2. Platforms Facilitating Currency Exchanges May Be Subject to Sanctions. While the October 2020 OFAC guidance identified attackers and payees who may be designated under OFAC’s existing cyber-related sanctions authority, the agency’s September 2021 designation of Suex is significant because, as noted above, it represents the first time that a virtual currency platform, as distinct from a malicious attacker, has been so designated. This demonstrates that OFAC, consistent with the U.S. government’s broader counter-ransomware strategy, is expanding its efforts to combat ransomware attacks by targeting and disrupting aspects of the global ransomware infrastructure. Indeed, Treasury’s press release notes that “[v]irtual currency exchanges such as Suex are critical to the profitability of ransomware attacks” and emphasizes that “Treasury will continue to disrupt and hold accountable these entities to reduce the incentive for cybercriminals to continue to conduct these attacks.”And while Treasury’s press release observes that “most virtual currency activity is licit,” it also notes that “virtual currencies can be used for illicit activity through peer-to-peer exchangers, mixers, and exchanges.” The press release further observes that “[s]ome virtual currency exchanges are exploited by malicious actors, but others, as is the case with Suex, facilitate illicit activities for their own illicit gains.” These words indicate the continued importance of maintaining effective anti-money-laundering programs and of bolstering “know-your-customer” capabilities. They also reflect Treasury’s continued evaluation of the effects of virtual currencies on various aspects of American life and the U.S. national interest. Those involved in the nascent and rapidly growing virtual assets industry may take comfort in the noteworthy acknowledgment that “most virtual currency activity is licit”; nonetheless, federal enforcement officials, including those at Treasury, plainly will remain vigilant in exercising their prerogatives.
3. OFAC Has Outlined What It Expects of Companies Seeking Mitigation in an Enforcement Setting After an Attack. Specifically, as discussed in more detail below, OFAC has explained that should a sanctions violation occur, it will evaluate how the company worked to prevent the attack and the actions the company took in response to an attack in considering enforcement action, including whether to issue nonmonetary and nonpublic enforcement actions, such as warning letters. Significantly, while it may be difficult to identify a sanctions-nexus in an attack, and therefore for a company to decide whether to file a voluntary self-disclosure, OFAC’s updated advisory states that “OFAC will consider a company’s self-initiated and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies … made as soon as possible after discovery of an attack, to be a voluntary self-disclosure and a significant mitigating factor in determining an appropriate enforcement response.” Under OFAC’s Enforcement Guidelines, filing a voluntary self-disclosure typically results in a significant reduction of any penalty that may be issued and frequently results in nonmonetary enforcement.
4. Companies Should Develop and Supplement Their Compliance and Risk Mitigation Programs for Preventing and Handling Cyberattacks. OFAC’s updated advisory provides additional guidance about what the agency believes to be the hallmarks of a robust compliance program. For example, it recommends that companies adopt meaningful cyber-risk-mitigation practices such as those found in the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Ransomware Guide published in September 2020. OFAC specifically identifies the following steps as crucial actions that companies can take to protect themselves: “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.” As noted above, OFAC’s updated advisory states that adopting risk management protocols like those in the CISA Ransomware Guide will be considered a “significant mitigating factor in any OFAC enforcement response” — a reflection of interagency coordination and collaboration in this area.
5. Companies Should Evaluate All of the Ways to Engage With OFAC and Law Enforcement. While OFAC’s prior advisory recommended that victim companies notify law enforcement and different components within Treasury, the updated advisory provides additional details and highlights interagency roles and relationships. Specifically, OFAC now “strongly encourages all victims and those involved with addressing ransomware attacks to report the incident to CISA, their local FBI field office, the FBI Internet Crime Complaint Center, or their local U.S. Secret Service office as soon as possible. Victims should also report ransomware attacks and payments to Treasury’s [Office of Cybersecurity and Critical Infrastructure Protection] and contact OFAC if there is any reason to suspect a potential sanctions nexus with regard to a ransomware payment.” Companies should make complete reports to law enforcement to receive credit, including providing all the relevant technical details, demand information, and instructions. The updated guidance links together both the timeliness and completeness of a company’s report to law enforcement, stating: “While the resolution of each potential enforcement matter depends on the specific facts and circumstances, OFAC would be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) when the affected party took the mitigating steps described [in the updated guidance], particularly reporting the ransomware attack to law enforcement as soon as possible and providing ongoing cooperation.” As described above, significantly, reports to law enforcement, when done timely and completely, may count as OFAC voluntary self-disclosures if a sanctions-nexus is discovered.

Given the focus of OFAC’s updated guidance on companies’ proactive procedures to prevent and respond to cyberattacks, companies should evaluate the security of their information technology systems and data repositories, the security and efficacy of their offline data backups, their sanctions and cybersecurity training, and their incident response programs — and make any necessary enhancements or modifications. Because of the increase of cyberattacks during the COVID-19 pandemic and the additional considerations regarding cybersecurity that are associated with remote work, these actions are increasingly important.

¹ Each of these actions was paired with the announcement of criminal charges filed by the U.S. Department of Justice (DOJ). To date, DOJ has not announced charges against Suex or any associated individuals.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.