Cryptocurrency Exchange SUEX Sanctioned by U.S. Treasury Department for Facilitating Ransomware Transactions
The U.S. Department of the Treasury announced that it has sanctioned a cryptocurrency exchange for helping to facilitate the financial transactions of ransomware actors.
Understanding the Decision to Sanction
On September 21, the Treasury Department’s Office of Foreign Assets Control’s (OFAC) designated virtual currency exchange SUEX under malicious cyber actor sanctions program for its involvement in ransomware activities.
“SUEX has facilitated transactions involving illicit proceeds from at least eight ransomware variants,” OFAC explained in a press release. “Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors.”
By designating SUEX, OFAC blocked all the platform’s property and interests in property subject to U.S. jurisdiction. It also prohibited U.S. individuals from engaging in business with the target, blocked entities owned 50% or more by the target, and exposed persons and/or entities that engage in certain transactions with the cryptocurrency exchange to the threat of sanctions.
OFAC did not implicate a specific Ransomware-as-a-Service (RaaS) operation or another ransomware variant in its designation, which it made pursuant to Executive Order 13694.
The First-of-Its-Kind Designation
In its press release, OFAC explained that its decision involving SUEX was its first sanctions designation against a cryptocurrency exchange.
That’s not to say SUEX is the only virtual currency exchange that have contributed to the profitability of ransomware attacks. Indeed, ransomware actors commonly abuse those platforms to maintain their anonymity while they collect ransom payments from their victims.
The case of SUEX is unique, however, in that the cryptocurrency exchange “facilitate[d] illicit activities for their own illicit gains,” per OFAC’s own words.
Ongoing Sanctions Risks for Facilitating Ransomware Payments
On the same day that it designated SUEX, OFAC released an updated version of its advisory on the sanctions risks surrounding activities that help to facilitate ransomware payments.
The advisory discouraged organizations and users from giving into ransomware actors’ demands, and it urged them to contact law enforcement if they ended up suffering an infection.
That’s the last thing attackers want their victims to do. The Ragnar Locker gang went so far as to threaten to publish their victims’ data online if they contacted the FBI or the police, wrote Bleeping Computer. About a week later, the computer self-help website reported that the Grief ransomware gang had begun threatening to delete victims’ decryption keys if they hired a negotiation firm to help them recover their encrypted files.
The fear is that ransomware groups will end up the target of law enforcement. If that happens, attackers may find themselves in a similar fate as the one that befell the DarkSide ransomware gang following the Colonial Pipeline attack. Worse, they could end up getting arrested—a position that makes it difficult to rebrand operations under a different name to evade sanctions. (Arrests don’t mean the end of operations, however. Take Clop as an example.)
Defending Against Ransomware Attacks
OFAC’s updated advisory came with recommendations for how organizations can defend themselves against ransomware.
One of those suggestions is to implement a risk-based compliance program for the purpose of mitigating an organization’s exposure to sanctions-related violations.
Organizations can also look to augment their email security posture. They can do this by investing in an email security solution that’s capable of scanning incoming messages for campaign patterns, malware signatures, IP addresses, and other known threat indicators associated with ransomware attacks. This tool should perform that analysis in real time, thus allowing legitimate correspondence to reach its intended destination.