Dive Brief:
- The U.S. Department of the Treasury added cryptocurrency exchange Suex to its list of sanctioned entities due to laundering ties with ransomware affiliates, according to an announcement Tuesday. "Some virtual currency exchanges are exploited by malicious actors, but others, as is the case with Suex, facilitate illicit activities for their own illicit gains," the Treasury said.
- Suex facilitated digital currency exchange for at least eight ransomware variants, the Treasury said. More than 40% of Suex's exchanges are "associated with illicit actors."
- Virtual currency exchanges that engage in sanctions evasion, ransomware operations or other cybercrimes, will face similar sanctions. The sanctions prohibit U.S. customers engaging with Suex, though as of Tuesday, the sanctions against Suex do not connect it to a "particular ransomware as a service or variant," the Treasury said.
Dive Insight:
The Treasury has promised further action to disrupt operations for entities collaborating with threat actors. "This action is the first sanctions designation against a virtual currency exchange and was executed with assistance from the Federal Bureau of Investigation," the agency said.
Because financial transactions is one of the most regulated spaces, the Treasury is doing what it can to thwart ransom payments.
"The government's gonna use the levers they have and the levers and finance are arguably bigger and stronger than the levers of a lot of other critical infrastructure sectors," Padraic O'Reilly, co-founder and CPO of CyberSaint Security, and advisor for the Department of Defense, said during a press Q&A hosted by CyberSaint Tuesday.
In May, the Treasury proposed businesses report cryptocurrency transactions of $10,000 or more to the IRS, which many interpreted as a way to check for undisclosed ransom payments.
"I think it's all baby steps," said Kevin Powers, founder and director of the graduate cybersecurity policy and governance program at Boston College, during the virtual presser. The Treasury's recent actions are a temporary bandage before more concrete policy comes out. The Federal Reserve and Securities and Exchange Commission are mulling regulatory efforts for the digital currency landscape, but in the meantime the Treasury's actions are meant "to put organizations at ease that at least the government's trying to do something," he said.
The sanctions against Suex are also sending a message to platforms — that criminals using their services can no longer hide in anonymity "and neither can you because we know who they are, and you know who they are," said Powers.
Alongside the Treasury's efforts, the U.S. generally is taking action against international cybercriminals. President Joe Biden pressed the issue with Russian President Vladimir Putin in June and July following ransomware attacks on JBS USA and Kaseya. Biden hinted the U.S. would consider offensive measures, though no official announcements or agreements were made.
To avoid funding adversarial ransomware groups, the Treasury's Office of Foreign Assets Control (OFAC) published a list of sanctioned cybercriminal groups last October. "U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on the Specially Designated Nationals and Blocked Persons List, according to the advisory. Evil Corp., SamSam and the Lazarus Group were among the initial sanctioned actors OFAC identified.
Still, companies pay ransoms when their business and public livelihood is immediately affected. Following the Colonial Pipeline ransomware attack — in which that company paid $4.4 million in extortion and the FBI recovered half of it — financial institutions began implementing cryptocurrency policies, said Dominique Shelton Leipzig, co-chair of the ad tech privacy and data management practice at law firm Perkins Coie, during the CyberSaint webcast. The policies would prevent companies from converting large funds into digital currency.
"I think this is a real tightening that's already been happening over the summer, this is now making it expressed from the government side," she said. "But frankly, financial institutions have already made this move and we have seen companies caught and just unable to pay a ransom even when they want to."
Companies consider reserving funds specifically for ransom payments, but it's not a cost-effective risk management strategy. Cybercriminals will find means to pivot if cryptocurrency becomes unfeasible.
"I think the key here is we're starting to narrow things down and making things more difficult" for criminals, said Powers. "Because right now, it doesn't seem to be much of a risk for them at all."