For weeks, the Biden administration has been expected to make a series of moves to tighten restrictions on the cryptocurrency exchanges that have become a key part of the financial ecosystem propping up ransomware attacks.
On Tuesday, the Department of Treasury’s Office of Foreign Assets Control hit Suex, a Russian cryptocurrency exchange, with economic sanctions for “facilitating financial transactions for ransomware actors.” According to the office, Suex has been involved in moving illicit proceeds from at least eight different ransomware variants and over 40% of their known transaction history is “associated with illicit actors.” Such exchanges can be used to “mix” or dilute illicit cryptocurrency with legitimate money or evade sanctions that are already placed on certain ransomware groups.
“Ransomware and cyber-attacks are victimizing businesses large and small across America and are a direct threat to our economy. We will continue to crack down on malicious actors,” said Treasury Secretary Janet L. Yellen in a statement. “As cyber criminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks.”
The move places Suex and two dozen cryptowallet addresses on OFAC’s Specially Designated National’s list, freezes any U.S. controlled assets it owns and prohibits U.S. companies and individuals from doing business with the exchange in the future.
Chainalysis, a company that tracks cryptocurrency payments, said they assisted law enforcement during the investigation and that Suex is a prolific facilitator of ransomware money, with nearly $13 million in tracked payments tied to groups like Ryuk, Conti and Maze. Though legally based in the Czech Republic, the company mostly operates out of Russia, where they’ve also helped launder money by converting cryptocurrency into cash at physical branches in Moscow, St. Petersburg and other locations.
“Since opening its doors in 2018, Suex has moved hundreds of millions of dollars worth of cryptocurrency, mostly in Bitcoin, Ether, and Tether, much of which is from illicit and high-risk sources,” the company said in a blog post today. “In Bitcoin alone, Suex’s deposit addresses hosted at large exchanges have received over $160 million from ransomware actors, scammers, and darknet market operators.”
The company has previously said that only a “very small group” of entities like Suex are responsible for the majority of illegal money laundering around cryptocurrency-based crime, and they predicted the move could cause ripples of disruption, at least temporarily, through the underground market.
“Suex is one of the biggest and most active of those services. Shutting them down would represent a significant blow to many of the biggest cyber threat actors operating today, including leading ransomware attackers, scammers, and darknet market operators,” the company said.
OFAC released an updated memo providing guidance to companies on how to avoid sanctions risk when making ransomware payments. The office “strongly discourages all private companies and citizens from paying the ransom” and recommends investing in cybersecurity defenses instead. In addition to threatening U.S. national security interests. While payment to non-sanctioned ransomware groups is not illegal, companies could still find themselves in hot water if they mistakenly end up paying groups like SamSam, CryptoLocker or Lazarus Group that are on the sanctions list.
“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions, laws and regulations administered by OFAC,” the office warned.
There are a number of potentially “mitigating factors” that OFAC will consider when a company winds up paying ransom to a sanctioned entity. This includes “meaningful steps” to reduce the likelihood of being extorted like maintaining offline backups of data, developing incident response plans, cybersecurity trainings, regular patching of systems and devices and authentication protocols.
They also consider timely cooperation with law enforcement in the wake of an attack. OFAC will consider a self-initiated, voluntary and complete report of a ransomware incident to law enforcement and other agencies to be a “significant” mitigating factor.
“While the resolution of each potential enforcement matter depends on the specific facts and circumstances, OFAC would be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) when the affected party took the mitigating steps described above, particularly reporting the ransomware attack to law enforcement as soon as possible and providing ongoing cooperation,” the office noted.
Last year, FBI cyber section chief Herb Stapleton told SC Media that when dealing with a potentially sanctioned entity, a notice within 24-48 hours of an attack is “very helpful,” as is “basic details” and information that can provide new leads, like cryptocurrency addresses or exchanges that can be used to help track and identify payments.
“I think sometimes there is somewhat of a myth that if you report a cyber incident or ransomware attack, the FBI is going to storm the server room…shut down all the business’ operations and we’re going to take over and do our searches and forensics for the next two weeks, and some of that misconception may be grounded in past experiences from many years ago, but that’s really not how we operate.”
With no clear way for law enforcement to reach these groups — many operate in countries like Russia where the U.S. has no extradition treaty in place — U.S. officials have been forced to get creative in finding ways to disrupt the financial and technical infrastructure relied upon by ransomware groups.
FBI withheld decryption key for weeks in Kaseya attack
The news comes the same day the Washington Post reported that the FBI obtained and eventually handed over a REvil decryption key to IT management software company Kaseya after holding on to it for weeks. The FBI hoped to use the key as part of a larger operation to disrupt REvil’s operations, but those plans evaporated after the group itself chose to go underground first.
Sen. Gary Peters, D-Mich., chair of the House Homeland Security and Governmental Affairs committee, expressed deep concern about the report in a hearing with FBI Director Chris Wray, saying the FBI could have saved businesses millions of dollars in recovery costs by handing the key over sooner.
“I understand we need to both support cyberattack victims and bring perpetrators to justice, I understand that dual task that you have, but certainly I think this committee would like to hear your explanation for the bureau’s actions related to this key.”
Wray said he was limited in what he could say because the Kaseya attack is part of an ongoing investigation, but said the FBI pushes out tools like the encryption key as soon as it can but that “there’s a lot of engineering required” to validate and test those tools before release. Wray did not directly address allegations that the FBI held onto the key for use in a disruptive operation against REvil, but did say that such decisions are “complex [and] case specific” are made within the interagency process, not by the FBI on its own.
“Sometimes we have to make calculations about how best to help the most people because maximizing impact is always the goal,” said Wray. “Whenever we do that in these joint enabled sequenced operations, we are doing it in conjunction with other government agencies, CISA and others, and we make the decision as a group, not unilaterally.”
He declined to name other agencies involved, but said they also regularly work with intelligence agencies on such decisions.
Stapleton identified disrupting the flow of ransom payments through cryptocurrency as of one of four pillars of disruption — along with malware delivery, communication and command and control infrastructure. While indictments and charges are part of that operation, Stapleton said the FBI had “many more options” than it had a few years ago, with the option of taking intelligence or tools gained through investigation and passing them along to intelligence agencies or private sector partners who may be better positioned to disrupt infrastructure and other assets controlled by ransomware groups.
The “magic” he said, was getting the timing right.
“Knowing when is the right time to exercise law enforcement authorities and when is the right time to collect intelligence that will help us in the future against these folks ,and when is the right time for the private sector to intervene and take action on its own, and that’s what we try to work through in each and every case of significance to the FBI,” he said.