On September 21, 2021, the US Department of the Treasury took actions in response to the increasing prevalence and severity of ransomware attacks in the United States and address the central role that virtual currency and virtual currency exchanges play in these attacks. These actions included the first-ever sanctions designation of a virtual currency exchange. While continuing to discourage ransom payments, Treasury is also looking to incentivize companies to improve their cybersecurity practices and inform law enforcement in the event of an attack.
In recent years, ransomware attacks have significantly increased in size, scope and devastating impact. According to the Federal Bureau of Investigation (FBI), 2020 witnessed a nearly 21 percent increase in reported ransomware cases and a 225 percent increase in associated losses year on year. While no business or sector is immune, targets of particular concern are critical infrastructure companies, like oil and gas companies as well as financial services companies.
Virtual currency is most often the primary means of ransom and related money-laundering activities. As such, virtual currency exchanges play an essential role in the profitability of ransomware schemes. To counter these attacks, Treasury’s Office of Foreign Assets Control (OFAC) has made virtual currency exchanges the target of renewed attention.
Virtual currency exchange designated as Specially Designated National
Recognizing these concerns, OFAC has for the first time designated a virtual currency exchange, SUEX OTC, S.R.O. (SUEX), on the Specially Designated Nationals and Blocked Persons (SDN) List pursuant to Executive Order 13694 for its role in facilitating financial transactions involving illicit proceeds from at least eight ransomware variants. According to OFAC, SUEX’s transaction history showed that over 40% of the exchange’s transactions is associated with illicit actors. As a result of the SDN designation of SUEX, any company paying ransomware through the SUEX exchange is now violating sanctions regulations and is subject to civil or criminal penalties, including a fine of up to $1,000,000 per violation and/or up to 20 years imprisonment.
OFAC issues updated ransomware advisory
OFAC also issued an updated ransomware advisory on September 21, 2021, reiterating warnings it made in its October 2020 ransomware advisory that payments made to ransomware actors may violate US sanctions regulations. In its updated advisory, OFAC adds more discussion on virtual currencies and guidance on defensive and response measures to take in the event of a ransomware attack, including actions that may help mitigate possible OFAC enforcement. Specifically, OFAC adds that the US government strongly discourages all private companies and citizens from paying ransom or extortion demands, and instead recommends focusing on strengthening measures to prevent and protect against such attacks. Such defensive measures include those highlighted in the US Department of Defense Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide, like maintaining offline backups of data, developing incident response plans, and instituting cybersecurity training, among others.
Not only do such steps reduce the risk of an attack, but under the updated advisory, OFAC would view a company’s efforts to reduce its risk of cyber-extortion as a significant mitigating factor in any OFAC enforcement response to a ransomware payment. The updated advisory also provides that OFAC will consider as a potential mitigating factor the reporting of ransomware attacks to appropriate US government agencies—such as CISA or Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP)—and the nature and extent of cooperation with OFAC, law enforcement, and other relevant agencies. The updated advisory provides that a company’s “self-initiated and complete report” of a ransomware attack to law enforcement or relevant US government agencies made as soon as possible after discovery of an attack, to constitute a voluntary self-disclosure and a significant mitigating factor in determining the government’s enforcement response in the event of a sanctions violation.
What does this mean for businesses?
Ransomware attacks and associated payments to ransomware actors present hidden US sanctions compliance and enforcement risk. OFAC’s latest action signals that virtual currency exchanges may play a role in these attacks and will continue to be a target of sanctions enforcement.
OFAC’s ransomware advisories provide additional guidance for victims and potential targets of such attacks, outlining measures and actions victims may take to mitigate potential OFAC enforcement.
This guidance may prove invaluable if incorporated into companies’ ransomware defense and response policies, as OFAC would be more likely to resolve violations involving ransomware attacks favorably when the victim reports the attack to law enforcement, provides ongoing cooperation, and takes additional mitigating steps.